@pikku/kysely 0.12.5 → 0.12.6

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 ## 0.12.0
 
+## 0.12.6
+
+### Patch Changes
+
+- 0f59432: Add per-user credential system with CredentialService, OAuth2 route handlers, and KyselyCredentialService with envelope encryption
+- Updated dependencies [0f59432]
+- Updated dependencies [52b64d1]
+  - @pikku/core@0.12.10
+
 ## 0.12.5
 
 ### Patch Changes

package/dist/src/index.d.ts

@@ -7,6 +7,8 @@ export { KyselyAIStorageService } from './kysely-ai-storage-service.js';
 export { KyselyAgentRunService } from './kysely-agent-run-service.js';
 export { KyselySecretService } from './kysely-secret-service.js';
 export type { KyselySecretServiceConfig } from './kysely-secret-service.js';
+export { KyselyCredentialService } from './kysely-credential-service.js';
+export type { KyselyCredentialServiceConfig } from './kysely-credential-service.js';
 export type { KyselyPikkuDB } from './kysely-tables.js';
 export type { WorkflowRunService } from '@pikku/core/workflow';
 export type { AgentRunService, AgentRunRow } from '@pikku/core/ai-agent';

package/dist/src/index.js

@@ -6,3 +6,4 @@ export { KyselyDeploymentService } from './kysely-deployment-service.js';
 export { KyselyAIStorageService } from './kysely-ai-storage-service.js';
 export { KyselyAgentRunService } from './kysely-agent-run-service.js';
 export { KyselySecretService } from './kysely-secret-service.js';
+export { KyselyCredentialService } from './kysely-credential-service.js';

package/dist/src/kysely-credential-service.d.ts

@@ -0,0 +1,30 @@
+import type { CredentialService } from '@pikku/core/services';
+import type { Kysely } from 'kysely';
+import type { KyselyPikkuDB } from './kysely-tables.js';
+export interface KyselyCredentialServiceConfig {
+    key: string;
+    keyVersion?: number;
+    previousKey?: string;
+    audit?: boolean;
+    auditReads?: boolean;
+}
+export declare class KyselyCredentialService implements CredentialService {
+    private db;
+    private initialized;
+    private key;
+    private keyVersion;
+    private previousKey?;
+    private audit;
+    private auditReads;
+    constructor(db: Kysely<KyselyPikkuDB>, config: KyselyCredentialServiceConfig);
+    init(): Promise<void>;
+    private logAudit;
+    private getKEK;
+    private whereUserId;
+    get<T = unknown>(name: string, userId?: string): Promise<T | null>;
+    set(name: string, value: unknown, userId?: string): Promise<void>;
+    delete(name: string, userId?: string): Promise<void>;
+    has(name: string, userId?: string): Promise<boolean>;
+    getAll(userId: string): Promise<Record<string, unknown>>;
+    rotateKEK(): Promise<number>;
+}

package/dist/src/kysely-credential-service.js

@@ -0,0 +1,188 @@
+import { sql } from 'kysely';
+import { envelopeEncrypt, envelopeDecrypt, envelopeRewrap, } from '@pikku/core/crypto-utils';
+export class KyselyCredentialService {
+    db;
+    initialized = false;
+    key;
+    keyVersion;
+    previousKey;
+    audit;
+    auditReads;
+    constructor(db, config) {
+        this.db = db;
+        this.key = config.key;
+        this.keyVersion = config.keyVersion ?? 1;
+        this.previousKey = config.previousKey;
+        this.audit = config.audit ?? false;
+        this.auditReads = config.auditReads ?? false;
+    }
+    async init() {
+        if (this.initialized)
+            return;
+        await this.db.schema
+            .createTable('credentials')
+            .ifNotExists()
+            .addColumn('name', 'varchar(255)', (col) => col.notNull())
+            .addColumn('user_id', 'varchar(255)')
+            .addColumn('ciphertext', 'text', (col) => col.notNull())
+            .addColumn('wrapped_dek', 'text', (col) => col.notNull())
+            .addColumn('key_version', 'integer', (col) => col.notNull())
+            .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .addColumn('updated_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .execute();
+        await sql `CREATE UNIQUE INDEX IF NOT EXISTS credentials_name_user_id_unique ON credentials (name, COALESCE(user_id, ''))`.execute(this.db);
+        if (this.audit) {
+            await this.db.schema
+                .createTable('credentials_audit')
+                .ifNotExists()
+                .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+                .addColumn('credential_name', 'varchar(255)', (col) => col.notNull())
+                .addColumn('user_id', 'varchar(255)')
+                .addColumn('action', 'varchar(20)', (col) => col.notNull())
+                .addColumn('performed_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+                .execute();
+        }
+        this.initialized = true;
+    }
+    async logAudit(name, userId, action) {
+        if (!this.audit)
+            return;
+        if (action === 'read' && !this.auditReads)
+            return;
+        await this.db
+            .insertInto('credentials_audit')
+            .values({
+            id: crypto.randomUUID(),
+            credential_name: name,
+            user_id: userId ?? null,
+            action,
+            performed_at: new Date().toISOString(),
+        })
+            .execute();
+    }
+    getKEK(version) {
+        if (version === this.keyVersion)
+            return this.key;
+        if (this.previousKey)
+            return this.previousKey;
+        throw new Error(`No KEK available for key_version ${version}`);
+    }
+    whereUserId(qb, userId) {
+        return userId
+            ? qb.where('user_id', '=', userId)
+            : qb.where('user_id', 'is', null);
+    }
+    async get(name, userId) {
+        let qb = this.db
+            .selectFrom('credentials')
+            .select(['ciphertext', 'wrapped_dek', 'key_version'])
+            .where('name', '=', name);
+        qb = this.whereUserId(qb, userId);
+        const row = await qb.executeTakeFirst();
+        if (!row)
+            return null;
+        const kek = this.getKEK(row.key_version);
+        const plaintext = await envelopeDecrypt(kek, row.ciphertext, row.wrapped_dek);
+        await this.logAudit(name, userId, 'read');
+        try {
+            return JSON.parse(plaintext);
+        }
+        catch {
+            throw new Error(`Credential '${name}' contains invalid data`);
+        }
+    }
+    async set(name, value, userId) {
+        const plaintext = JSON.stringify(value);
+        const { ciphertext, wrappedDEK } = await envelopeEncrypt(this.key, plaintext);
+        const now = new Date().toISOString();
+        const exists = await this.has(name, userId);
+        if (exists) {
+            let qb = this.db
+                .updateTable('credentials')
+                .set({
+                ciphertext,
+                wrapped_dek: wrappedDEK,
+                key_version: this.keyVersion,
+                updated_at: now,
+            })
+                .where('name', '=', name);
+            qb = this.whereUserId(qb, userId);
+            await qb.execute();
+        }
+        else {
+            await this.db
+                .insertInto('credentials')
+                .values({
+                name,
+                user_id: userId ?? null,
+                ciphertext,
+                wrapped_dek: wrappedDEK,
+                key_version: this.keyVersion,
+                created_at: now,
+                updated_at: now,
+            })
+                .execute();
+        }
+        await this.logAudit(name, userId, 'write');
+    }
+    async delete(name, userId) {
+        let qb = this.db.deleteFrom('credentials').where('name', '=', name);
+        qb = this.whereUserId(qb, userId);
+        await qb.execute();
+        await this.logAudit(name, userId, 'delete');
+    }
+    async has(name, userId) {
+        let qb = this.db
+            .selectFrom('credentials')
+            .select('name')
+            .where('name', '=', name);
+        qb = this.whereUserId(qb, userId);
+        const row = await qb.executeTakeFirst();
+        return !!row;
+    }
+    async getAll(userId) {
+        const rows = await this.db
+            .selectFrom('credentials')
+            .select(['name', 'ciphertext', 'wrapped_dek', 'key_version'])
+            .where('user_id', '=', userId)
+            .execute();
+        const result = {};
+        for (const row of rows) {
+            const kek = this.getKEK(row.key_version);
+            const plaintext = await envelopeDecrypt(kek, row.ciphertext, row.wrapped_dek);
+            try {
+                result[row.name] = JSON.parse(plaintext);
+            }
+            catch {
+                throw new Error(`Credential '${row.name}' contains invalid data`);
+            }
+            await this.logAudit(row.name, userId, 'read');
+        }
+        return result;
+    }
+    async rotateKEK() {
+        if (!this.previousKey) {
+            throw new Error('No previousKey configured — nothing to rotate from');
+        }
+        const rows = await this.db
+            .selectFrom('credentials')
+            .select(['name', 'user_id', 'wrapped_dek'])
+            .where('key_version', '<', this.keyVersion)
+            .execute();
+        for (const row of rows) {
+            const newWrappedDEK = await envelopeRewrap(this.previousKey, this.key, row.wrapped_dek);
+            let qb = this.db
+                .updateTable('credentials')
+                .set({
+                wrapped_dek: newWrappedDEK,
+                key_version: this.keyVersion,
+                updated_at: new Date().toISOString(),
+            })
+                .where('name', '=', row.name);
+            qb = this.whereUserId(qb, row.user_id ?? undefined);
+            await qb.execute();
+            await this.logAudit(row.name, row.user_id ?? undefined, 'rotate');
+        }
+        return rows.length;
+    }
+}

package/dist/src/kysely-tables.d.ts

@@ -137,6 +137,22 @@ export interface SecretsAuditTable {
     action: string;
     performed_at: Generated<Date>;
 }
+export interface CredentialsTable {
+    name: string;
+    user_id: string | null;
+    ciphertext: string;
+    wrapped_dek: string;
+    key_version: number;
+    created_at: Generated<Date>;
+    updated_at: Generated<Date>;
+}
+export interface CredentialsAuditTable {
+    id: string;
+    credential_name: string;
+    user_id: string | null;
+    action: string;
+    performed_at: Generated<Date>;
+}
 export interface KyselyPikkuDB {
     channels: ChannelsTable;
     channel_subscriptions: ChannelSubscriptionsTable;
@@ -153,4 +169,6 @@ export interface KyselyPikkuDB {
     pikku_deployment_functions: PikkuDeploymentFunctionsTable;
     secrets: SecretsTable;
     secrets_audit: SecretsAuditTable;
+    credentials: CredentialsTable;
+    credentials_audit: CredentialsAuditTable;
 }

package/dist/tsconfig.tsbuildinfo

@@ -1 +1 @@
-{"root":["../src/index.ts","../src/kysely-agent-run-service.ts","../src/kysely-ai-storage-service.ts","../src/kysely-channel-store.ts","../src/kysely-deployment-service.ts","../src/kysely-eventhub-store.ts","../src/kysely-json.ts","../src/kysely-secret-service.ts","../src/kysely-tables.ts","../src/kysely-workflow-run-service.ts","../src/kysely-workflow-service.ts","../bin/pikku-kysely-pure.ts"],"version":"5.9.3"}
+{"root":["../src/index.ts","../src/kysely-agent-run-service.ts","../src/kysely-ai-storage-service.ts","../src/kysely-channel-store.ts","../src/kysely-credential-service.ts","../src/kysely-deployment-service.ts","../src/kysely-eventhub-store.ts","../src/kysely-json.ts","../src/kysely-secret-service.ts","../src/kysely-tables.ts","../src/kysely-workflow-run-service.ts","../src/kysely-workflow-service.ts","../bin/pikku-kysely-pure.ts"],"version":"5.9.3"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/kysely",
-  "version": "0.12.5",
+  "version": "0.12.6",
   "author": "yasser.fadl@gmail.com",
   "license": "MIT",
   "module": "dist/src/index.js",
@@ -20,7 +20,7 @@
     "prepublishOnly": "yarn build"
   },
   "peerDependencies": {
-    "@pikku/core": "^0.12.9"
+    "@pikku/core": "^0.12.10"
   },
   "dependencies": {
     "kysely": "^0.28.12"

package/src/index.ts

@@ -7,6 +7,8 @@ export { KyselyAIStorageService } from './kysely-ai-storage-service.js'
 export { KyselyAgentRunService } from './kysely-agent-run-service.js'
 export { KyselySecretService } from './kysely-secret-service.js'
 export type { KyselySecretServiceConfig } from './kysely-secret-service.js'
+export { KyselyCredentialService } from './kysely-credential-service.js'
+export type { KyselyCredentialServiceConfig } from './kysely-credential-service.js'
 
 export type { KyselyPikkuDB } from './kysely-tables.js'
 export type { WorkflowRunService } from '@pikku/core/workflow'

package/src/kysely-credential-service.ts

@@ -0,0 +1,252 @@
+import type { CredentialService } from '@pikku/core/services'
+import type { Kysely } from 'kysely'
+import { sql } from 'kysely'
+import type { KyselyPikkuDB } from './kysely-tables.js'
+import {
+  envelopeEncrypt,
+  envelopeDecrypt,
+  envelopeRewrap,
+} from '@pikku/core/crypto-utils'
+
+export interface KyselyCredentialServiceConfig {
+  key: string
+  keyVersion?: number
+  previousKey?: string
+  audit?: boolean
+  auditReads?: boolean
+}
+
+export class KyselyCredentialService implements CredentialService {
+  private initialized = false
+  private key: string
+  private keyVersion: number
+  private previousKey?: string
+  private audit: boolean
+  private auditReads: boolean
+
+  constructor(
+    private db: Kysely<KyselyPikkuDB>,
+    config: KyselyCredentialServiceConfig
+  ) {
+    this.key = config.key
+    this.keyVersion = config.keyVersion ?? 1
+    this.previousKey = config.previousKey
+    this.audit = config.audit ?? false
+    this.auditReads = config.auditReads ?? false
+  }
+
+  public async init(): Promise<void> {
+    if (this.initialized) return
+
+    await this.db.schema
+      .createTable('credentials')
+      .ifNotExists()
+      .addColumn('name', 'varchar(255)', (col) => col.notNull())
+      .addColumn('user_id', 'varchar(255)')
+      .addColumn('ciphertext', 'text', (col) => col.notNull())
+      .addColumn('wrapped_dek', 'text', (col) => col.notNull())
+      .addColumn('key_version', 'integer', (col) => col.notNull())
+      .addColumn('created_at', 'timestamp', (col) =>
+        col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+      )
+      .addColumn('updated_at', 'timestamp', (col) =>
+        col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+      )
+      .execute()
+
+    await sql`CREATE UNIQUE INDEX IF NOT EXISTS credentials_name_user_id_unique ON credentials (name, COALESCE(user_id, ''))`.execute(
+      this.db
+    )
+
+    if (this.audit) {
+      await this.db.schema
+        .createTable('credentials_audit')
+        .ifNotExists()
+        .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+        .addColumn('credential_name', 'varchar(255)', (col) => col.notNull())
+        .addColumn('user_id', 'varchar(255)')
+        .addColumn('action', 'varchar(20)', (col) => col.notNull())
+        .addColumn('performed_at', 'timestamp', (col) =>
+          col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+        )
+        .execute()
+    }
+
+    this.initialized = true
+  }
+
+  private async logAudit(
+    name: string,
+    userId: string | undefined,
+    action: 'read' | 'write' | 'delete' | 'rotate'
+  ): Promise<void> {
+    if (!this.audit) return
+    if (action === 'read' && !this.auditReads) return
+
+    await this.db
+      .insertInto('credentials_audit')
+      .values({
+        id: crypto.randomUUID(),
+        credential_name: name,
+        user_id: userId ?? null,
+        action,
+        performed_at: new Date().toISOString() as any,
+      })
+      .execute()
+  }
+
+  private getKEK(version: number): string {
+    if (version === this.keyVersion) return this.key
+    if (this.previousKey) return this.previousKey
+    throw new Error(`No KEK available for key_version ${version}`)
+  }
+
+  private whereUserId(qb: any, userId?: string) {
+    return userId
+      ? qb.where('user_id', '=', userId)
+      : qb.where('user_id', 'is', null)
+  }
+
+  async get<T = unknown>(name: string, userId?: string): Promise<T | null> {
+    let qb = this.db
+      .selectFrom('credentials')
+      .select(['ciphertext', 'wrapped_dek', 'key_version'])
+      .where('name', '=', name)
+    qb = this.whereUserId(qb, userId)
+
+    const row = await qb.executeTakeFirst()
+    if (!row) return null
+
+    const kek = this.getKEK(row.key_version)
+    const plaintext = await envelopeDecrypt<string>(
+      kek,
+      row.ciphertext,
+      row.wrapped_dek
+    )
+    await this.logAudit(name, userId, 'read')
+
+    try {
+      return JSON.parse(plaintext) as T
+    } catch {
+      throw new Error(`Credential '${name}' contains invalid data`)
+    }
+  }
+
+  async set(name: string, value: unknown, userId?: string): Promise<void> {
+    const plaintext = JSON.stringify(value)
+    const { ciphertext, wrappedDEK } = await envelopeEncrypt(
+      this.key,
+      plaintext
+    )
+    const now = new Date().toISOString()
+    const exists = await this.has(name, userId)
+
+    if (exists) {
+      let qb = this.db
+        .updateTable('credentials')
+        .set({
+          ciphertext,
+          wrapped_dek: wrappedDEK,
+          key_version: this.keyVersion,
+          updated_at: now as any,
+        })
+        .where('name', '=', name)
+      qb = this.whereUserId(qb, userId)
+      await qb.execute()
+    } else {
+      await this.db
+        .insertInto('credentials')
+        .values({
+          name,
+          user_id: userId ?? null,
+          ciphertext,
+          wrapped_dek: wrappedDEK,
+          key_version: this.keyVersion,
+          created_at: now as any,
+          updated_at: now as any,
+        })
+        .execute()
+    }
+
+    await this.logAudit(name, userId, 'write')
+  }
+
+  async delete(name: string, userId?: string): Promise<void> {
+    let qb = this.db.deleteFrom('credentials').where('name', '=', name)
+    qb = this.whereUserId(qb, userId)
+    await qb.execute()
+
+    await this.logAudit(name, userId, 'delete')
+  }
+
+  async has(name: string, userId?: string): Promise<boolean> {
+    let qb = this.db
+      .selectFrom('credentials')
+      .select('name')
+      .where('name', '=', name)
+    qb = this.whereUserId(qb, userId)
+
+    const row = await qb.executeTakeFirst()
+    return !!row
+  }
+
+  async getAll(userId: string): Promise<Record<string, unknown>> {
+    const rows = await this.db
+      .selectFrom('credentials')
+      .select(['name', 'ciphertext', 'wrapped_dek', 'key_version'])
+      .where('user_id', '=', userId)
+      .execute()
+
+    const result: Record<string, unknown> = {}
+    for (const row of rows) {
+      const kek = this.getKEK(row.key_version)
+      const plaintext = await envelopeDecrypt<string>(
+        kek,
+        row.ciphertext,
+        row.wrapped_dek
+      )
+      try {
+        result[row.name] = JSON.parse(plaintext)
+      } catch {
+        throw new Error(`Credential '${row.name}' contains invalid data`)
+      }
+      await this.logAudit(row.name, userId, 'read')
+    }
+
+    return result
+  }
+
+  async rotateKEK(): Promise<number> {
+    if (!this.previousKey) {
+      throw new Error('No previousKey configured — nothing to rotate from')
+    }
+
+    const rows = await this.db
+      .selectFrom('credentials')
+      .select(['name', 'user_id', 'wrapped_dek'])
+      .where('key_version', '<', this.keyVersion)
+      .execute()
+
+    for (const row of rows) {
+      const newWrappedDEK = await envelopeRewrap(
+        this.previousKey,
+        this.key,
+        row.wrapped_dek
+      )
+      let qb = this.db
+        .updateTable('credentials')
+        .set({
+          wrapped_dek: newWrappedDEK,
+          key_version: this.keyVersion,
+          updated_at: new Date().toISOString() as any,
+        })
+        .where('name', '=', row.name)
+      qb = this.whereUserId(qb, row.user_id ?? undefined)
+      await qb.execute()
+
+      await this.logAudit(row.name, row.user_id ?? undefined, 'rotate')
+    }
+
+    return rows.length
+  }
+}

package/src/kysely-services.test.ts

@@ -16,6 +16,7 @@ import { KyselyDeploymentService } from './kysely-deployment-service.js'
 import { KyselyAIStorageService } from './kysely-ai-storage-service.js'
 import { KyselyAgentRunService } from './kysely-agent-run-service.js'
 import { KyselySecretService } from './kysely-secret-service.js'
+import { KyselyCredentialService } from './kysely-credential-service.js'
 
 function createSqliteDb(): Kysely<KyselyPikkuDB> {
   return new Kysely<KyselyPikkuDB>({
@@ -52,6 +53,8 @@ async function dropAllTables(db: Kysely<KyselyPikkuDB>): Promise<void> {
     'workflow_versions',
     'secrets_audit',
     'secrets',
+    'credentials_audit',
+    'credentials',
   ]
   for (const table of tables) {
     await db.schema.dropTable(table).ifExists().execute()
@@ -100,6 +103,11 @@ function registerTests(
         await s.init()
         return s
       },
+      credentialService: async (config) => {
+        const s = new KyselyCredentialService(getDb(), config)
+        await s.init()
+        return s
+      },
     },
   })
 
@@ -150,6 +158,56 @@ function registerTests(
       assert.equal(logs[0]!.action, 'write')
     })
   })
+
+  describe(`KyselyCredentialService audit [${dialectName}]`, () => {
+    const kek = 'test-key-encryption-key-32chars!'
+
+    test('audit logs writes, reads, and deletes', async () => {
+      const service = new KyselyCredentialService(getDb(), {
+        key: kek,
+        audit: true,
+        auditReads: true,
+      })
+      await service.init()
+      await service.set('audit-cred', { token: 'abc' }, 'user-1')
+      await service.get('audit-cred', 'user-1')
+      await service.delete('audit-cred', 'user-1')
+
+      const logs = await getDb()
+        .selectFrom('credentials_audit')
+        .select(['credential_name', 'user_id', 'action'])
+        .where('credential_name', '=', 'audit-cred')
+        .orderBy('performed_at', 'asc')
+        .execute()
+
+      assert.equal(logs.length, 3)
+      assert.equal(logs[0]!.action, 'write')
+      assert.equal(logs[0]!.user_id, 'user-1')
+      assert.equal(logs[1]!.action, 'read')
+      assert.equal(logs[2]!.action, 'delete')
+    })
+
+    test('audit logs global credential with null user_id', async () => {
+      const service = new KyselyCredentialService(getDb(), {
+        key: kek,
+        audit: true,
+        auditReads: true,
+      })
+      await service.init()
+      await service.set('global-cred', { key: 'val' })
+      await service.get('global-cred')
+
+      const logs = await getDb()
+        .selectFrom('credentials_audit')
+        .select(['credential_name', 'user_id', 'action'])
+        .where('credential_name', '=', 'global-cred')
+        .execute()
+
+      assert.equal(logs.length, 2)
+      assert.equal(logs[0]!.user_id, null)
+      assert.equal(logs[1]!.user_id, null)
+    })
+  })
 }
 
 describe('Kysely Services - SQLite', () => {

package/src/kysely-tables.ts

@@ -157,6 +157,24 @@ export interface SecretsAuditTable {
   performed_at: Generated<Date>
 }
 
+export interface CredentialsTable {
+  name: string
+  user_id: string | null
+  ciphertext: string
+  wrapped_dek: string
+  key_version: number
+  created_at: Generated<Date>
+  updated_at: Generated<Date>
+}
+
+export interface CredentialsAuditTable {
+  id: string
+  credential_name: string
+  user_id: string | null
+  action: string
+  performed_at: Generated<Date>
+}
+
 export interface KyselyPikkuDB {
   channels: ChannelsTable
   channel_subscriptions: ChannelSubscriptionsTable
@@ -173,4 +191,6 @@ export interface KyselyPikkuDB {
   pikku_deployment_functions: PikkuDeploymentFunctionsTable
   secrets: SecretsTable
   secrets_audit: SecretsAuditTable
+  credentials: CredentialsTable
+  credentials_audit: CredentialsAuditTable
 }