@pikku/kysely 0.12.1 → 0.12.3

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 ## 0.12.0
 
+## 0.12.3
+
+### Patch Changes
+
+- 32ed003: Add envelope encryption utilities and database-backed secret services with KEK rotation support
+- 387b2ee: Add error_message column to agent run storage and queries
+- b2b0af9: Migrate all consumers from @pikku/pg to @pikku/kysely and remove the @pikku/pg package
+- c7ff141: Add WorkflowVersionStatus type with draft→active lifecycle for AI-generated workflows, type all DB status fields with proper unions instead of plain strings
+- Updated dependencies [387b2ee]
+- Updated dependencies [32ed003]
+- Updated dependencies [7d369f3]
+- Updated dependencies [508a796]
+- Updated dependencies [ffe83af]
+- Updated dependencies [c7ff141]
+  - @pikku/core@0.12.3
+
+## 0.12.2
+
+### Patch Changes
+
+- ce961b5: fix: improve MySQL compatibility in AI storage service by using varchar columns with explicit lengths instead of text for primary keys, foreign keys, and indexed columns, and handle duplicate index errors gracefully
+- 3e04565: chore: update dependencies to latest minor/patch versions
+- Updated dependencies [cc4c9e9]
+- Updated dependencies [3e04565]
+  - @pikku/core@0.12.2
+
 ## 0.12.1
 
 ### Patch Changes

package/dist/src/index.d.ts

@@ -1,4 +1,3 @@
-export { PikkuKysely } from './pikku-kysely.js';
 export { KyselyChannelStore } from './kysely-channel-store.js';
 export { KyselyEventHubStore } from './kysely-eventhub-store.js';
 export { KyselyWorkflowService } from './kysely-workflow-service.js';
@@ -6,6 +5,8 @@ export { KyselyWorkflowRunService } from './kysely-workflow-run-service.js';
 export { KyselyDeploymentService } from './kysely-deployment-service.js';
 export { KyselyAIStorageService } from './kysely-ai-storage-service.js';
 export { KyselyAgentRunService } from './kysely-agent-run-service.js';
+export { KyselySecretService } from './kysely-secret-service.js';
+export type { KyselySecretServiceConfig } from './kysely-secret-service.js';
 export type { KyselyPikkuDB } from './kysely-tables.js';
 export type { WorkflowRunService } from '@pikku/core/workflow';
 export type { AgentRunService, AgentRunRow } from '@pikku/core/ai-agent';

package/dist/src/index.js

@@ -1,4 +1,3 @@
-export { PikkuKysely } from './pikku-kysely.js';
 export { KyselyChannelStore } from './kysely-channel-store.js';
 export { KyselyEventHubStore } from './kysely-eventhub-store.js';
 export { KyselyWorkflowService } from './kysely-workflow-service.js';
@@ -6,3 +5,4 @@ export { KyselyWorkflowRunService } from './kysely-workflow-run-service.js';
 export { KyselyDeploymentService } from './kysely-deployment-service.js';
 export { KyselyAIStorageService } from './kysely-ai-storage-service.js';
 export { KyselyAgentRunService } from './kysely-agent-run-service.js';
+export { KyselySecretService } from './kysely-secret-service.js';

package/dist/src/kysely-agent-run-service.js

@@ -113,6 +113,7 @@ export class KyselyAgentRunService {
             'thread_id',
             'resource_id',
             'status',
+            'error_message',
             'suspend_reason',
             'missing_rpcs',
             'usage_input_tokens',
@@ -159,6 +160,7 @@ export class KyselyAgentRunService {
             threadId: row.thread_id,
             resourceId: row.resource_id,
             status: row.status,
+            errorMessage: row.error_message ?? undefined,
             suspendReason: row.suspend_reason ?? undefined,
             missingRpcs: parseJson(row.missing_rpcs),
             usageInputTokens: Number(row.usage_input_tokens),

package/dist/src/kysely-ai-storage-service.d.ts

@@ -6,6 +6,7 @@ export declare class KyselyAIStorageService implements AIStorageService, AIRunSt
     private db;
     private initialized;
     constructor(db: Kysely<KyselyPikkuDB>);
+    private createIndexSafe;
     init(): Promise<void>;
     createThread(resourceId: string, options?: {
         threadId?: string;

package/dist/src/kysely-ai-storage-service.js

@@ -6,6 +6,22 @@ export class KyselyAIStorageService {
     constructor(db) {
         this.db = db;
     }
+    async createIndexSafe(builder) {
+        try {
+            await builder.execute();
+        }
+        catch (e) {
+            // Ignore "index already exists" errors across databases
+            // MySQL: ER_DUP_KEYNAME, Postgres: 42P07, SQLite: "already exists"
+            if (e?.code === 'ER_DUP_KEYNAME' || e?.errno === 1061)
+                return;
+            if (e?.code === '42P07')
+                return;
+            if (e?.message?.includes('already exists'))
+                return;
+            throw e;
+        }
+    }
     async init() {
         if (this.initialized) {
             return;
@@ -13,68 +29,60 @@ export class KyselyAIStorageService {
         await this.db.schema
             .createTable('ai_threads')
             .ifNotExists()
-            .addColumn('id', 'text', (col) => col.primaryKey())
-            .addColumn('resource_id', 'text', (col) => col.notNull())
+            .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+            .addColumn('resource_id', 'varchar(255)', (col) => col.notNull())
             .addColumn('title', 'text')
             .addColumn('metadata', 'text')
             .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .addColumn('updated_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .execute();
-        await this.db.schema
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_ai_threads_resource')
-            .ifNotExists()
             .on('ai_threads')
-            .column('resource_id')
-            .execute();
+            .column('resource_id'));
         await this.db.schema
             .createTable('ai_message')
             .ifNotExists()
-            .addColumn('id', 'text', (col) => col.primaryKey())
-            .addColumn('thread_id', 'text', (col) => col.notNull().references('ai_threads.id').onDelete('cascade'))
-            .addColumn('role', 'text', (col) => col.notNull())
+            .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+            .addColumn('thread_id', 'varchar(36)', (col) => col.notNull().references('ai_threads.id').onDelete('cascade'))
+            .addColumn('role', 'varchar(50)', (col) => col.notNull())
             .addColumn('content', 'text')
             .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .execute();
-        await this.db.schema
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_ai_message_thread')
-            .ifNotExists()
             .on('ai_message')
-            .columns(['thread_id', 'created_at'])
-            .execute();
+            .columns(['thread_id', 'created_at']));
         await this.db.schema
             .createTable('ai_tool_call')
             .ifNotExists()
-            .addColumn('id', 'text', (col) => col.primaryKey())
-            .addColumn('thread_id', 'text', (col) => col.notNull().references('ai_threads.id').onDelete('cascade'))
-            .addColumn('message_id', 'text', (col) => col.notNull().references('ai_message.id').onDelete('cascade'))
-            .addColumn('run_id', 'text')
-            .addColumn('tool_name', 'text', (col) => col.notNull())
-            .addColumn('args', 'text', (col) => col.notNull().defaultTo('{}'))
+            .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+            .addColumn('thread_id', 'varchar(36)', (col) => col.notNull().references('ai_threads.id').onDelete('cascade'))
+            .addColumn('message_id', 'varchar(36)', (col) => col.notNull().references('ai_message.id').onDelete('cascade'))
+            .addColumn('run_id', 'varchar(36)')
+            .addColumn('tool_name', 'varchar(255)', (col) => col.notNull())
+            .addColumn('args', 'text', (col) => col.notNull())
             .addColumn('result', 'text')
-            .addColumn('approval_status', 'text')
-            .addColumn('approval_type', 'text')
-            .addColumn('agent_run_id', 'text')
-            .addColumn('display_tool_name', 'text')
+            .addColumn('approval_status', 'varchar(50)')
+            .addColumn('approval_type', 'varchar(50)')
+            .addColumn('agent_run_id', 'varchar(36)')
+            .addColumn('display_tool_name', 'varchar(255)')
             .addColumn('display_args', 'text')
             .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .execute();
-        await this.db.schema
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_ai_tool_call_thread')
-            .ifNotExists()
             .on('ai_tool_call')
-            .column('thread_id')
-            .execute();
-        await this.db.schema
+            .column('thread_id'));
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_ai_tool_call_message')
-            .ifNotExists()
             .on('ai_tool_call')
-            .column('message_id')
-            .execute();
+            .column('message_id'));
         await this.db.schema
             .createTable('ai_working_memory')
             .ifNotExists()
-            .addColumn('id', 'text', (col) => col.notNull())
-            .addColumn('scope', 'text', (col) => col.notNull())
+            .addColumn('id', 'varchar(255)', (col) => col.notNull())
+            .addColumn('scope', 'varchar(50)', (col) => col.notNull())
             .addColumn('data', 'text', (col) => col.notNull())
             .addColumn('updated_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .addPrimaryKeyConstraint('ai_working_memory_pk', ['id', 'scope'])
@@ -82,25 +90,24 @@ export class KyselyAIStorageService {
         await this.db.schema
             .createTable('ai_run')
             .ifNotExists()
-            .addColumn('run_id', 'text', (col) => col.primaryKey())
-            .addColumn('agent_name', 'text', (col) => col.notNull())
-            .addColumn('thread_id', 'text', (col) => col.notNull().references('ai_threads.id').onDelete('cascade'))
-            .addColumn('resource_id', 'text', (col) => col.notNull())
-            .addColumn('status', 'text', (col) => col.notNull().defaultTo('running'))
+            .addColumn('run_id', 'varchar(36)', (col) => col.primaryKey())
+            .addColumn('agent_name', 'varchar(255)', (col) => col.notNull())
+            .addColumn('thread_id', 'varchar(36)', (col) => col.notNull().references('ai_threads.id').onDelete('cascade'))
+            .addColumn('resource_id', 'varchar(255)', (col) => col.notNull())
+            .addColumn('status', 'varchar(50)', (col) => col.notNull().defaultTo('running'))
+            .addColumn('error_message', 'text')
             .addColumn('suspend_reason', 'text')
             .addColumn('missing_rpcs', 'text')
             .addColumn('usage_input_tokens', 'integer', (col) => col.notNull().defaultTo(0))
             .addColumn('usage_output_tokens', 'integer', (col) => col.notNull().defaultTo(0))
-            .addColumn('usage_model', 'text', (col) => col.notNull().defaultTo(''))
+            .addColumn('usage_model', 'varchar(255)', (col) => col.notNull().defaultTo(''))
             .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .addColumn('updated_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
             .execute();
-        await this.db.schema
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_ai_run_thread')
-            .ifNotExists()
             .on('ai_run')
-            .columns(['thread_id', 'created_at'])
-            .execute();
+            .columns(['thread_id', 'created_at']));
         this.initialized = true;
     }
     async createThread(resourceId, options) {
@@ -219,10 +226,26 @@ export class KyselyAIStorageService {
         }
         const messages = [];
         for (const row of msgResult) {
+            const rawContent = row.content;
+            let parsedContent = rawContent ?? undefined;
+            if (rawContent) {
+                try {
+                    const parsed = JSON.parse(rawContent);
+                    if (Array.isArray(parsed)) {
+                        parsedContent = parsed;
+                    }
+                    else if (typeof parsed === 'string') {
+                        parsedContent = parsed;
+                    }
+                }
+                catch {
+                    // Not JSON, use raw string
+                }
+            }
             const msg = {
                 id: row.id,
                 role: row.role,
-                content: row.content ?? undefined,
+                content: parsedContent,
                 createdAt: new Date(row.created_at),
             };
             const tcs = tcByMessage.get(msg.id);
@@ -264,7 +287,7 @@ export class KyselyAIStorageService {
                 id: msg.id,
                 thread_id: threadId,
                 role: msg.role,
-                content: msg.content ?? null,
+                content: msg.content != null ? JSON.stringify(msg.content) : null,
                 created_at: msg.createdAt ?? new Date(),
             })))
                 .execute();
@@ -335,6 +358,7 @@ export class KyselyAIStorageService {
             thread_id: run.threadId,
             resource_id: run.resourceId,
             status: run.status,
+            error_message: run.errorMessage ?? null,
             suspend_reason: run.suspendReason ?? null,
             missing_rpcs: run.missingRpcs ? JSON.stringify(run.missingRpcs) : null,
             usage_input_tokens: run.usage.inputTokens,
@@ -354,6 +378,9 @@ export class KyselyAIStorageService {
         if (updates.status !== undefined) {
             setValues.status = updates.status;
         }
+        if (updates.errorMessage !== undefined) {
+            setValues.error_message = updates.errorMessage;
+        }
         if (updates.suspendReason !== undefined) {
             setValues.suspend_reason = updates.suspendReason;
         }
@@ -398,6 +425,7 @@ export class KyselyAIStorageService {
             'thread_id',
             'resource_id',
             'status',
+            'error_message',
             'suspend_reason',
             'missing_rpcs',
             'usage_input_tokens',
@@ -435,6 +463,7 @@ export class KyselyAIStorageService {
             'thread_id',
             'resource_id',
             'status',
+            'error_message',
             'suspend_reason',
             'missing_rpcs',
             'usage_input_tokens',
@@ -522,6 +551,7 @@ export class KyselyAIStorageService {
             threadId: row.thread_id,
             resourceId: row.resource_id,
             status: row.status,
+            errorMessage: row.error_message ?? undefined,
             suspendReason: row.suspend_reason,
             missingRpcs: parseJson(row.missing_rpcs),
             pendingApprovals,

package/dist/src/kysely-deployment-service.d.ts

@@ -2,7 +2,7 @@ import type { DeploymentService, DeploymentServiceConfig, DeploymentConfig, Depl
 import type { Kysely } from 'kysely';
 import type { KyselyPikkuDB } from './kysely-tables.js';
 export declare class KyselyDeploymentService implements DeploymentService {
-    private db;
+    protected db: Kysely<KyselyPikkuDB>;
     private initialized;
     private heartbeatTimer?;
     private deploymentConfig?;
@@ -13,5 +13,6 @@ export declare class KyselyDeploymentService implements DeploymentService {
     start(config: DeploymentConfig): Promise<void>;
     stop(): Promise<void>;
     findFunction(name: string): Promise<DeploymentInfo[]>;
+    private createIndexSafe;
     private sendHeartbeat;
 }

package/dist/src/kysely-deployment-service.js

@@ -37,18 +37,16 @@ export class KyselyDeploymentService {
             'function_name',
         ])
             .execute();
-        await this.db.schema
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_pikku_deployments_heartbeat')
             .ifNotExists()
             .on('pikku_deployments')
-            .column('last_heartbeat')
-            .execute();
-        await this.db.schema
+            .column('last_heartbeat'));
+        await this.createIndexSafe(this.db.schema
             .createIndex('idx_pikku_deployment_functions_name')
             .ifNotExists()
             .on('pikku_deployment_functions')
-            .column('function_name')
-            .execute();
+            .column('function_name'));
         this.initialized = true;
     }
     async start(config) {
@@ -111,6 +109,20 @@ export class KyselyDeploymentService {
             endpoint: row.endpoint,
         }));
     }
+    async createIndexSafe(builder) {
+        try {
+            await builder.execute();
+        }
+        catch (e) {
+            if (e?.code === 'ER_DUP_KEYNAME' || e?.errno === 1061)
+                return;
+            if (e?.code === '42P07')
+                return;
+            if (e?.message?.includes('already exists'))
+                return;
+            throw e;
+        }
+    }
     async sendHeartbeat() {
         if (!this.deploymentConfig)
             return;

package/dist/src/kysely-secret-service.d.ts

@@ -0,0 +1,29 @@
+import type { SecretService } from '@pikku/core/services';
+import type { Kysely } from 'kysely';
+import type { KyselyPikkuDB } from './kysely-tables.js';
+export interface KyselySecretServiceConfig {
+    key: string;
+    keyVersion?: number;
+    previousKey?: string;
+    audit?: boolean;
+    auditReads?: boolean;
+}
+export declare class KyselySecretService implements SecretService {
+    private db;
+    private initialized;
+    private key;
+    private keyVersion;
+    private previousKey?;
+    private audit;
+    private auditReads;
+    constructor(db: Kysely<KyselyPikkuDB>, config: KyselySecretServiceConfig);
+    init(): Promise<void>;
+    private logAudit;
+    private getKEK;
+    getSecret(key: string): Promise<string>;
+    getSecretJSON<R = {}>(key: string): Promise<R>;
+    hasSecret(key: string): Promise<boolean>;
+    setSecretJSON(key: string, value: unknown): Promise<void>;
+    deleteSecret(key: string): Promise<void>;
+    rotateKEK(): Promise<number>;
+}

package/dist/src/kysely-secret-service.js

@@ -0,0 +1,142 @@
+import { sql } from 'kysely';
+import { envelopeEncrypt, envelopeDecrypt, envelopeRewrap, } from '@pikku/core/crypto-utils';
+export class KyselySecretService {
+    db;
+    initialized = false;
+    key;
+    keyVersion;
+    previousKey;
+    audit;
+    auditReads;
+    constructor(db, config) {
+        this.db = db;
+        this.key = config.key;
+        this.keyVersion = config.keyVersion ?? 1;
+        this.previousKey = config.previousKey;
+        this.audit = config.audit ?? false;
+        this.auditReads = config.auditReads ?? false;
+    }
+    async init() {
+        if (this.initialized)
+            return;
+        await this.db.schema
+            .createTable('secrets')
+            .ifNotExists()
+            .addColumn('key', 'varchar(255)', (col) => col.primaryKey())
+            .addColumn('ciphertext', 'text', (col) => col.notNull())
+            .addColumn('wrapped_dek', 'text', (col) => col.notNull())
+            .addColumn('key_version', 'integer', (col) => col.notNull())
+            .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .addColumn('updated_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .execute();
+        if (this.audit) {
+            await this.db.schema
+                .createTable('secrets_audit')
+                .ifNotExists()
+                .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+                .addColumn('secret_key', 'varchar(255)', (col) => col.notNull())
+                .addColumn('action', 'varchar(20)', (col) => col.notNull())
+                .addColumn('performed_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+                .execute();
+        }
+        this.initialized = true;
+    }
+    async logAudit(secretKey, action) {
+        if (!this.audit)
+            return;
+        if (action === 'read' && !this.auditReads)
+            return;
+        await this.db
+            .insertInto('secrets_audit')
+            .values({
+            id: crypto.randomUUID(),
+            secret_key: secretKey,
+            action,
+            performed_at: new Date().toISOString(),
+        })
+            .execute();
+    }
+    getKEK(version) {
+        if (version === this.keyVersion)
+            return this.key;
+        if (this.previousKey)
+            return this.previousKey;
+        throw new Error(`No KEK available for key_version ${version}`);
+    }
+    async getSecret(key) {
+        const row = await this.db
+            .selectFrom('secrets')
+            .select(['ciphertext', 'wrapped_dek', 'key_version'])
+            .where('key', '=', key)
+            .executeTakeFirst();
+        if (!row)
+            throw new Error(`Secret not found: ${key}`);
+        const kek = this.getKEK(row.key_version);
+        const result = await envelopeDecrypt(kek, row.ciphertext, row.wrapped_dek);
+        await this.logAudit(key, 'read');
+        return result;
+    }
+    async getSecretJSON(key) {
+        const raw = await this.getSecret(key);
+        return JSON.parse(raw);
+    }
+    async hasSecret(key) {
+        const row = await this.db
+            .selectFrom('secrets')
+            .select('key')
+            .where('key', '=', key)
+            .executeTakeFirst();
+        return !!row;
+    }
+    async setSecretJSON(key, value) {
+        const plaintext = JSON.stringify(value);
+        const { ciphertext, wrappedDEK } = await envelopeEncrypt(this.key, plaintext);
+        const now = new Date().toISOString();
+        await this.db
+            .insertInto('secrets')
+            .values({
+            key,
+            ciphertext,
+            wrapped_dek: wrappedDEK,
+            key_version: this.keyVersion,
+            created_at: now,
+            updated_at: now,
+        })
+            .onConflict((oc) => oc.column('key').doUpdateSet({
+            ciphertext,
+            wrapped_dek: wrappedDEK,
+            key_version: this.keyVersion,
+            updated_at: now,
+        }))
+            .execute();
+        await this.logAudit(key, 'write');
+    }
+    async deleteSecret(key) {
+        await this.db.deleteFrom('secrets').where('key', '=', key).execute();
+        await this.logAudit(key, 'delete');
+    }
+    async rotateKEK() {
+        if (!this.previousKey) {
+            throw new Error('No previousKey configured — nothing to rotate from');
+        }
+        const rows = await this.db
+            .selectFrom('secrets')
+            .select(['key', 'wrapped_dek'])
+            .where('key_version', '<', this.keyVersion)
+            .execute();
+        for (const row of rows) {
+            const newWrappedDEK = await envelopeRewrap(this.previousKey, this.key, row.wrapped_dek);
+            await this.db
+                .updateTable('secrets')
+                .set({
+                wrapped_dek: newWrappedDEK,
+                key_version: this.keyVersion,
+                updated_at: new Date().toISOString(),
+            })
+                .where('key', '=', row.key)
+                .execute();
+            await this.logAudit(row.key, 'rotate');
+        }
+        return rows.length;
+    }
+}

package/dist/src/kysely-tables.d.ts

@@ -1,4 +1,5 @@
 import type { Generated } from 'kysely';
+import type { WorkflowStatus, StepStatus, WorkflowVersionStatus } from '@pikku/core/workflow';
 export interface ChannelsTable {
     channel_id: string;
     channel_name: string;
@@ -14,7 +15,7 @@ export interface ChannelSubscriptionsTable {
 export interface WorkflowRunsTable {
     workflow_run_id: Generated<string>;
     workflow: string;
-    status: string;
+    status: WorkflowStatus;
     input: string;
     output: string | null;
     error: string | null;
@@ -31,7 +32,7 @@ export interface WorkflowStepTable {
     step_name: string;
     rpc_name: string | null;
     data: string | null;
-    status: Generated<string>;
+    status: Generated<StepStatus>;
     result: string | null;
     error: string | null;
     branch_taken: string | null;
@@ -43,7 +44,7 @@ export interface WorkflowStepTable {
 export interface WorkflowStepHistoryTable {
     history_id: Generated<string>;
     workflow_step_id: string;
-    status: string;
+    status: StepStatus;
     result: string | null;
     error: string | null;
     created_at: Generated<Date>;
@@ -57,6 +58,7 @@ export interface WorkflowVersionsTable {
     graph_hash: string;
     graph: string;
     source: string;
+    status: Generated<WorkflowVersionStatus>;
     created_at: Generated<Date>;
 }
 export interface AIThreadsTable {
@@ -70,7 +72,7 @@ export interface AIThreadsTable {
 export interface AIMessageTable {
     id: string;
     thread_id: string;
-    role: string;
+    role: 'system' | 'user' | 'assistant' | 'tool';
     content: string | null;
     created_at: Generated<Date>;
 }
@@ -82,8 +84,8 @@ export interface AIToolCallTable {
     tool_name: string;
     args: string;
     result: string | null;
-    approval_status: string | null;
-    approval_type: string | null;
+    approval_status: 'approved' | 'denied' | 'pending' | null;
+    approval_type: 'agent-call' | 'tool-call' | null;
     agent_run_id: string | null;
     display_tool_name: string | null;
     display_args: string | null;
@@ -100,8 +102,9 @@ export interface AIRunTable {
     agent_name: string;
     thread_id: string;
     resource_id: string;
-    status: Generated<string>;
-    suspend_reason: string | null;
+    status: Generated<'running' | 'suspended' | 'completed' | 'failed'>;
+    error_message: string | null;
+    suspend_reason: 'approval' | 'rpc-missing' | null;
     missing_rpcs: string | null;
     usage_input_tokens: Generated<number>;
     usage_output_tokens: Generated<number>;
@@ -119,6 +122,20 @@ export interface PikkuDeploymentFunctionsTable {
     deployment_id: string;
     function_name: string;
 }
+export interface SecretsTable {
+    key: string;
+    ciphertext: string;
+    wrapped_dek: string;
+    key_version: number;
+    created_at: Generated<Date>;
+    updated_at: Generated<Date>;
+}
+export interface SecretsAuditTable {
+    id: string;
+    secret_key: string;
+    action: string;
+    performed_at: Generated<Date>;
+}
 export interface KyselyPikkuDB {
     channels: ChannelsTable;
     channel_subscriptions: ChannelSubscriptionsTable;
@@ -133,4 +150,6 @@ export interface KyselyPikkuDB {
     ai_run: AIRunTable;
     pikku_deployments: PikkuDeploymentsTable;
     pikku_deployment_functions: PikkuDeploymentFunctionsTable;
+    secrets: SecretsTable;
+    secrets_audit: SecretsAuditTable;
 }

package/dist/src/kysely-workflow-run-service.d.ts

@@ -24,6 +24,11 @@ export declare class KyselyWorkflowRunService implements WorkflowRunService {
         graph: any;
         source: string;
     } | null>;
+    getAIGeneratedWorkflows(agentName?: string): Promise<Array<{
+        workflowName: string;
+        graphHash: string;
+        graph: any;
+    }>>;
     deleteRun(id: string): Promise<boolean>;
     private mapRunRow;
 }