@opentrust/db 7.1.0

package/dist/queries/observations.js

@@ -0,0 +1,212 @@
+import { eq, and, desc, count, sql } from "drizzle-orm";
+import { toolCallObservations, agentPermissions } from "../schema/index.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+// ─── Tool name → category / access pattern inference ────────────
+const ACCESS_READ_PREFIXES = ["list", "get", "search", "read", "fetch", "find", "query", "check", "view"];
+const ACCESS_WRITE_PREFIXES = ["create", "send", "write", "update", "edit", "post", "put", "add", "set"];
+const ACCESS_ADMIN_PREFIXES = ["delete", "remove", "execute", "run", "admin", "destroy", "revoke", "drop"];
+export function inferCategory(toolName) {
+    // "github_create_issue" → "github"
+    // "slack_send_message" → "slack"
+    // "read_file" → "filesystem"
+    const lower = toolName.toLowerCase();
+    if (lower.startsWith("read_file") || lower.startsWith("write_file") || lower.startsWith("list_dir")) {
+        return "filesystem";
+    }
+    if (lower.startsWith("execute_command") || lower.startsWith("run_command") || lower === "bash") {
+        return "shell";
+    }
+    const underscoreIdx = lower.indexOf("_");
+    if (underscoreIdx > 0) {
+        return lower.slice(0, underscoreIdx);
+    }
+    return lower;
+}
+export function inferAccessPattern(toolName) {
+    const lower = toolName.toLowerCase();
+    // Strip category prefix: "github_create_issue" → "create_issue"
+    const underscoreIdx = lower.indexOf("_");
+    const action = underscoreIdx > 0 ? lower.slice(underscoreIdx + 1) : lower;
+    for (const prefix of ACCESS_ADMIN_PREFIXES) {
+        if (action.startsWith(prefix))
+            return "admin";
+    }
+    for (const prefix of ACCESS_WRITE_PREFIXES) {
+        if (action.startsWith(prefix))
+            return "write";
+    }
+    for (const prefix of ACCESS_READ_PREFIXES) {
+        if (action.startsWith(prefix))
+            return "read";
+    }
+    return "unknown";
+}
+// ─── Query Functions ────────────────────────────────────────────
+export function observationQueries(db) {
+    return {
+        /**
+         * Record a tool call observation.
+         */
+        async record(data) {
+            const category = inferCategory(data.toolName);
+            const accessPattern = inferAccessPattern(data.toolName);
+            const tenantId = data.tenantId ?? DEFAULT_TENANT_ID;
+            await db.insert(toolCallObservations).values({
+                agentId: data.agentId,
+                sessionKey: data.sessionKey ?? null,
+                toolName: data.toolName,
+                category,
+                accessPattern,
+                paramsJson: data.params ?? null,
+                phase: data.phase,
+                resultJson: data.result ?? null,
+                error: data.error ?? null,
+                durationMs: data.durationMs ?? null,
+                blocked: data.blocked ?? false,
+                blockReason: data.blockReason ?? null,
+                tenantId,
+            });
+            // Upsert permission on "after" phase (or "before" if blocked)
+            if (data.phase === "after" || data.blocked) {
+                await this.upsertPermission({
+                    agentId: data.agentId,
+                    toolName: data.toolName,
+                    category,
+                    accessPattern,
+                    params: data.params,
+                    hasError: !!data.error,
+                    tenantId,
+                });
+            }
+        },
+        /**
+         * Upsert an agent permission entry based on observed tool call.
+         */
+        async upsertPermission(data) {
+            const now = new Date().toISOString();
+            // Check if permission already exists
+            const existing = await db
+                .select()
+                .from(agentPermissions)
+                .where(and(eq(agentPermissions.tenantId, data.tenantId), eq(agentPermissions.agentId, data.agentId), eq(agentPermissions.toolName, data.toolName)))
+                .limit(1);
+            if (existing.length > 0) {
+                const perm = existing[0];
+                const targets = perm.targetsJson || [];
+                const newTargets = extractTargets(data.params);
+                const mergedTargets = mergeTargets(targets, newTargets);
+                await db
+                    .update(agentPermissions)
+                    .set({
+                    callCount: (perm.callCount ?? 0) + 1,
+                    errorCount: (perm.errorCount ?? 0) + (data.hasError ? 1 : 0),
+                    lastSeen: now,
+                    targetsJson: mergedTargets,
+                })
+                    .where(eq(agentPermissions.id, perm.id));
+            }
+            else {
+                const targets = extractTargets(data.params);
+                await db.insert(agentPermissions).values({
+                    tenantId: data.tenantId,
+                    agentId: data.agentId,
+                    toolName: data.toolName,
+                    category: data.category,
+                    accessPattern: data.accessPattern,
+                    targetsJson: targets,
+                    callCount: 1,
+                    errorCount: data.hasError ? 1 : 0,
+                    firstSeen: now,
+                    lastSeen: now,
+                });
+            }
+        },
+        /**
+         * Get recent observations, optionally filtered by agentId.
+         */
+        async findRecent(opts = {}) {
+            const tenantId = opts.tenantId ?? DEFAULT_TENANT_ID;
+            const limit = opts.limit ?? 50;
+            const conditions = [eq(toolCallObservations.tenantId, tenantId)];
+            if (opts.agentId) {
+                conditions.push(eq(toolCallObservations.agentId, opts.agentId));
+            }
+            return db
+                .select()
+                .from(toolCallObservations)
+                .where(and(...conditions))
+                .orderBy(desc(toolCallObservations.timestamp))
+                .limit(limit);
+        },
+        /**
+         * Get the aggregated permission profile for an agent.
+         */
+        async getPermissions(agentId, tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select()
+                .from(agentPermissions)
+                .where(and(eq(agentPermissions.tenantId, tenantId), eq(agentPermissions.agentId, agentId)))
+                .orderBy(desc(agentPermissions.callCount));
+        },
+        /**
+         * Get permissions for all agents (overview).
+         */
+        async getAllPermissions(tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select()
+                .from(agentPermissions)
+                .where(eq(agentPermissions.tenantId, tenantId))
+                .orderBy(agentPermissions.agentId, desc(agentPermissions.callCount));
+        },
+        /**
+         * Find first-seen tool calls (anomalies) — permissions with callCount = 1.
+         */
+        async findAnomalies(tenantId = DEFAULT_TENANT_ID, limit = 20) {
+            return db
+                .select()
+                .from(agentPermissions)
+                .where(and(eq(agentPermissions.tenantId, tenantId), eq(agentPermissions.callCount, 1)))
+                .orderBy(desc(agentPermissions.firstSeen))
+                .limit(limit);
+        },
+        /**
+         * Get observation count summary per agent.
+         */
+        async summary(tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select({
+                agentId: toolCallObservations.agentId,
+                totalCalls: count(),
+                blockedCalls: sql `sum(case when ${toolCallObservations.blocked} = true then 1 else 0 end)`,
+                uniqueTools: sql `count(distinct ${toolCallObservations.toolName})`,
+            })
+                .from(toolCallObservations)
+                .where(eq(toolCallObservations.tenantId, tenantId))
+                .groupBy(toolCallObservations.agentId);
+        },
+    };
+}
+// ─── Helpers ────────────────────────────────────────────────────
+/** Extract likely target identifiers from tool call params. */
+function extractTargets(params) {
+    if (!params)
+        return [];
+    const targets = [];
+    const targetKeys = ["repo", "repository", "channel", "to", "email", "path", "file", "url", "owner", "user", "org"];
+    for (const key of targetKeys) {
+        const val = params[key];
+        if (typeof val === "string" && val.length > 0 && val.length < 200) {
+            targets.push(val);
+        }
+    }
+    return targets;
+}
+/** Merge new targets into existing list, capped at 50 entries. */
+function mergeTargets(existing, incoming) {
+    const set = new Set(existing);
+    for (const t of incoming) {
+        set.add(t);
+    }
+    const merged = [...set];
+    return merged.length > 50 ? merged.slice(-50) : merged;
+}

package/dist/queries/policies.d.ts

@@ -0,0 +1,25 @@
+import type { Database } from "../client.js";
+export declare function policyQueries(db: Database): {
+    findAll(tenantId?: string): Promise<any>;
+    findById(id: string, tenantId?: string): Promise<any>;
+    create(data: {
+        name: string;
+        description?: string | null;
+        scannerIds: string[];
+        action: string;
+        sensitivityThreshold?: number;
+        tenantId?: string;
+    }): Promise<unknown>;
+    update(id: string, data: Partial<{
+        name: string;
+        description: string | null;
+        scannerIds: string[];
+        action: string;
+        sensitivityThreshold: number;
+        isEnabled: boolean;
+    }>, tenantId?: string): Promise<unknown>;
+    delete(id: string, tenantId?: string): Promise<void>;
+    /** Get all enabled policies for detection flow */
+    getEnabled(tenantId?: string): Promise<any>;
+};
+//# sourceMappingURL=policies.d.ts.map

package/dist/queries/policies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../../src/queries/policies.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAK7C,wBAAgB,aAAa,CAAC,EAAE,EAAE,QAAQ;uBAEd,MAAM;iBAIX,MAAM,aAAY,MAAM;iBAKxB;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC5B,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,oBAAoB,CAAC,EAAE,MAAM,CAAC;QAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;eAQgB,MAAM,QAAQ,OAAO,CAAC;QACrC,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,oBAAoB,EAAE,MAAM,CAAC;QAC7B,SAAS,EAAE,OAAO,CAAC;KACpB,CAAC,aAAY,MAAM;eAOH,MAAM,aAAY,MAAM;IAIzC,kDAAkD;0BACvB,MAAM;EAOpC"}

package/dist/queries/policies.js

@@ -0,0 +1,38 @@
+import { eq, and } from "drizzle-orm";
+import { policies } from "../schema/index.js";
+import { insertReturning, updateReturning } from "../helpers.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+export function policyQueries(db) {
+    return {
+        async findAll(tenantId = DEFAULT_TENANT_ID) {
+            return db.select().from(policies).where(eq(policies.tenantId, tenantId)).orderBy(policies.createdAt);
+        },
+        async findById(id, tenantId = DEFAULT_TENANT_ID) {
+            const result = await db.select().from(policies).where(and(eq(policies.id, id), eq(policies.tenantId, tenantId))).limit(1);
+            return result[0] ?? null;
+        },
+        async create(data) {
+            return insertReturning(db, policies, {
+                ...data,
+                sensitivityThreshold: data.sensitivityThreshold ?? 0.5,
+                tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+            });
+        },
+        async update(id, data, tenantId = DEFAULT_TENANT_ID) {
+            return updateReturning(db, policies, and(eq(policies.id, id), eq(policies.tenantId, tenantId)), {
+                ...data,
+                updatedAt: new Date().toISOString(),
+            });
+        },
+        async delete(id, tenantId = DEFAULT_TENANT_ID) {
+            await db.delete(policies).where(and(eq(policies.id, id), eq(policies.tenantId, tenantId)));
+        },
+        /** Get all enabled policies for detection flow */
+        async getEnabled(tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select()
+                .from(policies)
+                .where(and(eq(policies.isEnabled, true), eq(policies.tenantId, tenantId)));
+        },
+    };
+}

package/dist/queries/scanners.d.ts

@@ -0,0 +1,25 @@
+import type { Database } from "../client.js";
+export declare function scannerQueries(db: Database): {
+    /** Get all scanners (defaults + overrides) */
+    getAll(tenantId?: string): Promise<any>;
+    /** Get all system default scanners */
+    getDefaults(tenantId?: string): Promise<any>;
+    /** Get enabled scanners for detection */
+    getEnabled(tenantId?: string): Promise<any>;
+    /** Upsert a scanner override */
+    upsert(data: {
+        scannerId: string;
+        name: string;
+        description: string;
+        isEnabled: boolean;
+        tenantId?: string;
+    }): Promise<unknown>;
+    /** Create a system default scanner */
+    createDefault(data: {
+        scannerId: string;
+        name: string;
+        description: string;
+        tenantId?: string;
+    }): Promise<unknown>;
+};
+//# sourceMappingURL=scanners.d.ts.map

package/dist/queries/scanners.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanners.d.ts","sourceRoot":"","sources":["../../src/queries/scanners.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAK7C,wBAAgB,cAAc,CAAC,EAAE,EAAE,QAAQ;IAEvC,8CAA8C;sBACvB,MAAM;IAQ7B,sCAAsC;2BACV,MAAM;IAQlC,yCAAyC;0BACd,MAAM;IAQjC,gCAAgC;iBACb;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,SAAS,EAAE,OAAO,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAsBD,sCAAsC;wBACZ;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;EAQxG"}

package/dist/queries/scanners.js

@@ -0,0 +1,56 @@
+import { eq, and } from "drizzle-orm";
+import { scannerDefinitions } from "../schema/index.js";
+import { insertReturning } from "../helpers.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+export function scannerQueries(db) {
+    return {
+        /** Get all scanners (defaults + overrides) */
+        async getAll(tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select()
+                .from(scannerDefinitions)
+                .where(eq(scannerDefinitions.tenantId, tenantId))
+                .orderBy(scannerDefinitions.scannerId);
+        },
+        /** Get all system default scanners */
+        async getDefaults(tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select()
+                .from(scannerDefinitions)
+                .where(and(eq(scannerDefinitions.isDefault, true), eq(scannerDefinitions.tenantId, tenantId)))
+                .orderBy(scannerDefinitions.scannerId);
+        },
+        /** Get enabled scanners for detection */
+        async getEnabled(tenantId = DEFAULT_TENANT_ID) {
+            return db
+                .select()
+                .from(scannerDefinitions)
+                .where(and(eq(scannerDefinitions.isEnabled, true), eq(scannerDefinitions.tenantId, tenantId)))
+                .orderBy(scannerDefinitions.scannerId);
+        },
+        /** Upsert a scanner override */
+        async upsert(data) {
+            const tid = data.tenantId ?? DEFAULT_TENANT_ID;
+            // Delete existing non-default with same scannerId for this tenant
+            await db
+                .delete(scannerDefinitions)
+                .where(and(eq(scannerDefinitions.scannerId, data.scannerId), eq(scannerDefinitions.isDefault, false), eq(scannerDefinitions.tenantId, tid)));
+            return insertReturning(db, scannerDefinitions, {
+                scannerId: data.scannerId,
+                name: data.name,
+                description: data.description,
+                isEnabled: data.isEnabled,
+                isDefault: false,
+                tenantId: tid,
+            });
+        },
+        /** Create a system default scanner */
+        async createDefault(data) {
+            return insertReturning(db, scannerDefinitions, {
+                ...data,
+                isDefault: true,
+                tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+            });
+        },
+    };
+}

package/dist/queries/settings.d.ts

@@ -0,0 +1,8 @@
+import type { Database } from "../client.js";
+export declare function settingsQueries(db: Database): {
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<void>;
+    getAll(): Promise<Record<string, string>>;
+    delete(key: string): Promise<void>;
+};
+//# sourceMappingURL=settings.d.ts.map

package/dist/queries/settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.d.ts","sourceRoot":"","sources":["../../src/queries/settings.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAG7C,wBAAgB,eAAe,CAAC,EAAE,EAAE,QAAQ;aAEzB,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;aAK/B,MAAM,SAAS,MAAM;cASpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAS7B,MAAM;EAI3B"}

package/dist/queries/settings.js

@@ -0,0 +1,30 @@
+import { eq } from "drizzle-orm";
+import { settings } from "../schema/index.js";
+export function settingsQueries(db) {
+    return {
+        async get(key) {
+            const result = await db.select().from(settings).where(eq(settings.key, key)).limit(1);
+            return result[0]?.value ?? null;
+        },
+        async set(key, value) {
+            const existing = await this.get(key);
+            if (existing !== null) {
+                await db.update(settings).set({ value, updatedAt: new Date().toISOString() }).where(eq(settings.key, key));
+            }
+            else {
+                await db.insert(settings).values({ key, value });
+            }
+        },
+        async getAll() {
+            const rows = await db.select().from(settings);
+            const result = {};
+            for (const row of rows) {
+                result[row.key] = row.value;
+            }
+            return result;
+        },
+        async delete(key) {
+            await db.delete(settings).where(eq(settings.key, key));
+        },
+    };
+}

package/dist/queries/usage.d.ts

@@ -0,0 +1,18 @@
+import type { Database } from "../client.js";
+export declare function usageQueries(db: Database): {
+    log(data: {
+        agentId?: string | null;
+        endpoint: string;
+        statusCode: number;
+        responseSafe: boolean | null;
+        categories?: string[];
+        latencyMs: number;
+        requestId: string;
+        tenantId?: string;
+    }): Promise<void>;
+    countInPeriod(start: Date | string, end: Date | string, tenantId?: string): Promise<any>;
+    summary(start: Date | string, end: Date | string, tenantId?: string): Promise<any>;
+    daily(start: Date | string, end: Date | string, tenantId?: string): Promise<any>;
+    countRecent(minutes?: number, tenantId?: string): Promise<any>;
+};
+//# sourceMappingURL=usage.d.ts.map

package/dist/queries/usage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"usage.d.ts","sourceRoot":"","sources":["../../src/queries/usage.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAI7C,wBAAgB,YAAY,CAAC,EAAE,EAAE,QAAQ;cAErB;QACd,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAC;QAC7B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;yBAQ0B,IAAI,GAAG,MAAM,OAAO,IAAI,GAAG,MAAM,aAAY,MAAM;mBAQzD,IAAI,GAAG,MAAM,OAAO,IAAI,GAAG,MAAM,aAAY,MAAM;iBAYrD,IAAI,GAAG,MAAM,OAAO,IAAI,GAAG,MAAM,aAAY,MAAM;0BAe3C,MAAM,aAAgB,MAAM;EAS1D"}

package/dist/queries/usage.js

@@ -0,0 +1,54 @@
+import { eq, gte, lte, sql, count, and } from "drizzle-orm";
+import { usageLogs } from "../schema/index.js";
+import { DEFAULT_TENANT_ID } from "@opentrust/shared";
+export function usageQueries(db) {
+    return {
+        async log(data) {
+            await db.insert(usageLogs).values({
+                ...data,
+                categories: data.categories ?? [],
+                tenantId: data.tenantId ?? DEFAULT_TENANT_ID,
+            });
+        },
+        async countInPeriod(start, end, tenantId = DEFAULT_TENANT_ID) {
+            const result = await db
+                .select({ count: count() })
+                .from(usageLogs)
+                .where(and(gte(usageLogs.createdAt, start), lte(usageLogs.createdAt, end), eq(usageLogs.tenantId, tenantId)));
+            return result[0]?.count ?? 0;
+        },
+        async summary(start, end, tenantId = DEFAULT_TENANT_ID) {
+            const result = await db
+                .select({
+                totalCalls: count(),
+                safeCount: sql `sum(case when ${usageLogs.responseSafe} = true then 1 else 0 end)`,
+                unsafeCount: sql `sum(case when ${usageLogs.responseSafe} = false then 1 else 0 end)`,
+            })
+                .from(usageLogs)
+                .where(and(gte(usageLogs.createdAt, start), lte(usageLogs.createdAt, end), eq(usageLogs.tenantId, tenantId)));
+            return result[0] ?? { totalCalls: 0, safeCount: 0, unsafeCount: 0 };
+        },
+        async daily(start, end, tenantId = DEFAULT_TENANT_ID) {
+            const result = await db
+                .select({
+                date: sql `date(${usageLogs.createdAt})`,
+                count: count(),
+                safeCount: sql `sum(case when ${usageLogs.responseSafe} = true then 1 else 0 end)`,
+                unsafeCount: sql `sum(case when ${usageLogs.responseSafe} = false then 1 else 0 end)`,
+            })
+                .from(usageLogs)
+                .where(and(gte(usageLogs.createdAt, start), lte(usageLogs.createdAt, end), eq(usageLogs.tenantId, tenantId)))
+                .groupBy(sql `date(${usageLogs.createdAt})`)
+                .orderBy(sql `date(${usageLogs.createdAt})`);
+            return result;
+        },
+        async countRecent(minutes = 1, tenantId = DEFAULT_TENANT_ID) {
+            const since = new Date(Date.now() - minutes * 60_000).toISOString();
+            const result = await db
+                .select({ count: count() })
+                .from(usageLogs)
+                .where(and(gte(usageLogs.createdAt, since), eq(usageLogs.tenantId, tenantId)));
+            return result[0]?.count ?? 0;
+        },
+    };
+}