@pikku/kysely 0.12.2 → 0.12.3

package/src/kysely-agent-run-service.ts

@@ -140,6 +140,7 @@ export class KyselyAgentRunService implements AgentRunService {
         'thread_id',
         'resource_id',
         'status',
+        'error_message',
         'suspend_reason',
         'missing_rpcs',
         'usage_input_tokens',
@@ -193,6 +194,7 @@ export class KyselyAgentRunService implements AgentRunService {
       threadId: row.thread_id as string,
       resourceId: row.resource_id as string,
       status: row.status as string,
+      errorMessage: (row.error_message as string) ?? undefined,
       suspendReason: (row.suspend_reason as string) ?? undefined,
       missingRpcs: parseJson(row.missing_rpcs),
       usageInputTokens: Number(row.usage_input_tokens),

package/src/kysely-ai-storage-service.ts

@@ -22,8 +22,11 @@ export class KyselyAIStorageService
     try {
       await builder.execute()
     } catch (e: any) {
-      // Ignore "index already exists" errors (MySQL doesn't support IF NOT EXISTS for indexes)
+      // Ignore "index already exists" errors across databases
+      // MySQL: ER_DUP_KEYNAME, Postgres: 42P07, SQLite: "already exists"
       if (e?.code === 'ER_DUP_KEYNAME' || e?.errno === 1061) return
+      if (e?.code === '42P07') return
+      if (e?.message?.includes('already exists')) return
       throw e
     }
   }
@@ -138,6 +141,7 @@ export class KyselyAIStorageService
       .addColumn('status', 'varchar(50)', (col) =>
         col.notNull().defaultTo('running')
       )
+      .addColumn('error_message', 'text')
       .addColumn('suspend_reason', 'text')
       .addColumn('missing_rpcs', 'text')
       .addColumn('usage_input_tokens', 'integer', (col) =>
@@ -463,6 +467,7 @@ export class KyselyAIStorageService
         thread_id: run.threadId,
         resource_id: run.resourceId,
         status: run.status,
+        error_message: run.errorMessage ?? null,
         suspend_reason: run.suspendReason ?? null,
         missing_rpcs: run.missingRpcs ? JSON.stringify(run.missingRpcs) : null,
         usage_input_tokens: run.usage.inputTokens,
@@ -489,6 +494,9 @@ export class KyselyAIStorageService
     if (updates.status !== undefined) {
       setValues.status = updates.status
     }
+    if (updates.errorMessage !== undefined) {
+      setValues.error_message = updates.errorMessage
+    }
     if (updates.suspendReason !== undefined) {
       setValues.suspend_reason = updates.suspendReason
     }
@@ -537,6 +545,7 @@ export class KyselyAIStorageService
         'thread_id',
         'resource_id',
         'status',
+        'error_message',
         'suspend_reason',
         'missing_rpcs',
         'usage_input_tokens',
@@ -577,6 +586,7 @@ export class KyselyAIStorageService
         'thread_id',
         'resource_id',
         'status',
+        'error_message',
         'suspend_reason',
         'missing_rpcs',
         'usage_input_tokens',
@@ -670,6 +680,7 @@ export class KyselyAIStorageService
       threadId: row.thread_id as string,
       resourceId: row.resource_id as string,
       status: row.status as AgentRunState['status'],
+      errorMessage: row.error_message ?? undefined,
       suspendReason: row.suspend_reason as AgentRunState['suspendReason'],
       missingRpcs: parseJson(row.missing_rpcs),
       pendingApprovals,

package/src/kysely-deployment-service.ts

@@ -18,7 +18,7 @@ export class KyselyDeploymentService implements DeploymentService {
 
   constructor(
     config: DeploymentServiceConfig,
-    private db: Kysely<KyselyPikkuDB>
+    protected db: Kysely<KyselyPikkuDB>
   ) {
     this.heartbeatInterval = config.heartbeatInterval ?? 10000
     this.heartbeatTtl = config.heartbeatTtl ?? 30000
@@ -58,19 +58,21 @@ export class KyselyDeploymentService implements DeploymentService {
       ])
       .execute()
 
-    await this.db.schema
-      .createIndex('idx_pikku_deployments_heartbeat')
-      .ifNotExists()
-      .on('pikku_deployments')
-      .column('last_heartbeat')
-      .execute()
+    await this.createIndexSafe(
+      this.db.schema
+        .createIndex('idx_pikku_deployments_heartbeat')
+        .ifNotExists()
+        .on('pikku_deployments')
+        .column('last_heartbeat')
+    )
 
-    await this.db.schema
-      .createIndex('idx_pikku_deployment_functions_name')
-      .ifNotExists()
-      .on('pikku_deployment_functions')
-      .column('function_name')
-      .execute()
+    await this.createIndexSafe(
+      this.db.schema
+        .createIndex('idx_pikku_deployment_functions_name')
+        .ifNotExists()
+        .on('pikku_deployment_functions')
+        .column('function_name')
+    )
 
     this.initialized = true
   }
@@ -156,6 +158,19 @@ export class KyselyDeploymentService implements DeploymentService {
     }))
   }
 
+  private async createIndexSafe(builder: {
+    execute(): Promise<void>
+  }): Promise<void> {
+    try {
+      await builder.execute()
+    } catch (e: any) {
+      if (e?.code === 'ER_DUP_KEYNAME' || e?.errno === 1061) return
+      if (e?.code === '42P07') return
+      if (e?.message?.includes('already exists')) return
+      throw e
+    }
+  }
+
   private async sendHeartbeat(): Promise<void> {
     if (!this.deploymentConfig) return
 

package/src/kysely-secret-service.ts

@@ -0,0 +1,197 @@
+import type { SecretService } from '@pikku/core/services'
+import type { Kysely } from 'kysely'
+import { sql } from 'kysely'
+import type { KyselyPikkuDB } from './kysely-tables.js'
+import {
+  envelopeEncrypt,
+  envelopeDecrypt,
+  envelopeRewrap,
+} from '@pikku/core/crypto-utils'
+
+export interface KyselySecretServiceConfig {
+  key: string
+  keyVersion?: number
+  previousKey?: string
+  audit?: boolean
+  auditReads?: boolean
+}
+
+export class KyselySecretService implements SecretService {
+  private initialized = false
+  private key: string
+  private keyVersion: number
+  private previousKey?: string
+  private audit: boolean
+  private auditReads: boolean
+
+  constructor(
+    private db: Kysely<KyselyPikkuDB>,
+    config: KyselySecretServiceConfig
+  ) {
+    this.key = config.key
+    this.keyVersion = config.keyVersion ?? 1
+    this.previousKey = config.previousKey
+    this.audit = config.audit ?? false
+    this.auditReads = config.auditReads ?? false
+  }
+
+  public async init(): Promise<void> {
+    if (this.initialized) return
+
+    await this.db.schema
+      .createTable('secrets')
+      .ifNotExists()
+      .addColumn('key', 'varchar(255)', (col) => col.primaryKey())
+      .addColumn('ciphertext', 'text', (col) => col.notNull())
+      .addColumn('wrapped_dek', 'text', (col) => col.notNull())
+      .addColumn('key_version', 'integer', (col) => col.notNull())
+      .addColumn('created_at', 'timestamp', (col) =>
+        col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+      )
+      .addColumn('updated_at', 'timestamp', (col) =>
+        col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+      )
+      .execute()
+
+    if (this.audit) {
+      await this.db.schema
+        .createTable('secrets_audit')
+        .ifNotExists()
+        .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+        .addColumn('secret_key', 'varchar(255)', (col) => col.notNull())
+        .addColumn('action', 'varchar(20)', (col) => col.notNull())
+        .addColumn('performed_at', 'timestamp', (col) =>
+          col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+        )
+        .execute()
+    }
+
+    this.initialized = true
+  }
+
+  private async logAudit(
+    secretKey: string,
+    action: 'read' | 'write' | 'delete' | 'rotate'
+  ): Promise<void> {
+    if (!this.audit) return
+    if (action === 'read' && !this.auditReads) return
+
+    await this.db
+      .insertInto('secrets_audit')
+      .values({
+        id: crypto.randomUUID(),
+        secret_key: secretKey,
+        action,
+        performed_at: new Date().toISOString() as any,
+      })
+      .execute()
+  }
+
+  private getKEK(version: number): string {
+    if (version === this.keyVersion) return this.key
+    if (this.previousKey) return this.previousKey
+    throw new Error(`No KEK available for key_version ${version}`)
+  }
+
+  async getSecret(key: string): Promise<string> {
+    const row = await this.db
+      .selectFrom('secrets')
+      .select(['ciphertext', 'wrapped_dek', 'key_version'])
+      .where('key', '=', key)
+      .executeTakeFirst()
+
+    if (!row) throw new Error(`Secret not found: ${key}`)
+
+    const kek = this.getKEK(row.key_version)
+    const result = await envelopeDecrypt<string>(
+      kek,
+      row.ciphertext,
+      row.wrapped_dek
+    )
+    await this.logAudit(key, 'read')
+    return result
+  }
+
+  async getSecretJSON<R = {}>(key: string): Promise<R> {
+    const raw = await this.getSecret(key)
+    return JSON.parse(raw) as R
+  }
+
+  async hasSecret(key: string): Promise<boolean> {
+    const row = await this.db
+      .selectFrom('secrets')
+      .select('key')
+      .where('key', '=', key)
+      .executeTakeFirst()
+    return !!row
+  }
+
+  async setSecretJSON(key: string, value: unknown): Promise<void> {
+    const plaintext = JSON.stringify(value)
+    const { ciphertext, wrappedDEK } = await envelopeEncrypt(
+      this.key,
+      plaintext
+    )
+    const now = new Date().toISOString()
+
+    await this.db
+      .insertInto('secrets')
+      .values({
+        key,
+        ciphertext,
+        wrapped_dek: wrappedDEK,
+        key_version: this.keyVersion,
+        created_at: now as any,
+        updated_at: now as any,
+      })
+      .onConflict((oc) =>
+        oc.column('key').doUpdateSet({
+          ciphertext,
+          wrapped_dek: wrappedDEK,
+          key_version: this.keyVersion,
+          updated_at: now as any,
+        })
+      )
+      .execute()
+
+    await this.logAudit(key, 'write')
+  }
+
+  async deleteSecret(key: string): Promise<void> {
+    await this.db.deleteFrom('secrets').where('key', '=', key).execute()
+    await this.logAudit(key, 'delete')
+  }
+
+  async rotateKEK(): Promise<number> {
+    if (!this.previousKey) {
+      throw new Error('No previousKey configured — nothing to rotate from')
+    }
+
+    const rows = await this.db
+      .selectFrom('secrets')
+      .select(['key', 'wrapped_dek'])
+      .where('key_version', '<', this.keyVersion)
+      .execute()
+
+    for (const row of rows) {
+      const newWrappedDEK = await envelopeRewrap(
+        this.previousKey,
+        this.key,
+        row.wrapped_dek
+      )
+      await this.db
+        .updateTable('secrets')
+        .set({
+          wrapped_dek: newWrappedDEK,
+          key_version: this.keyVersion,
+          updated_at: new Date().toISOString() as any,
+        })
+        .where('key', '=', row.key)
+        .execute()
+
+      await this.logAudit(row.key, 'rotate')
+    }
+
+    return rows.length
+  }
+}