@pikku/kysely 0.12.5 → 0.12.7

package/dist/src/kysely-channel-store.js

@@ -38,9 +38,9 @@ export class KyselyChannelStore extends ChannelStore {
         await this.db
             .insertInto('channels')
             .values({
-            channel_id: channelId,
-            channel_name: channelName,
-            opening_data: JSON.stringify(openingData || {}),
+            channelId: channelId,
+            channelName: channelName,
+            openingData: JSON.stringify(openingData || {}),
         })
             .execute();
     }
@@ -50,30 +50,30 @@ export class KyselyChannelStore extends ChannelStore {
         }
         await this.db
             .deleteFrom('channels')
-            .where('channel_id', 'in', channelIds)
+            .where('channelId', 'in', channelIds)
             .execute();
     }
     async setUserSession(channelId, session) {
         await this.db
             .updateTable('channels')
-            .set({ user_session: session ? JSON.stringify(session) : null })
-            .where('channel_id', '=', channelId)
+            .set({ userSession: session ? JSON.stringify(session) : null })
+            .where('channelId', '=', channelId)
             .execute();
     }
     async getChannelAndSession(channelId) {
         const row = await this.db
             .selectFrom('channels')
-            .select(['channel_id', 'channel_name', 'opening_data', 'user_session'])
-            .where('channel_id', '=', channelId)
+            .select(['channelId', 'channelName', 'openingData', 'userSession'])
+            .where('channelId', '=', channelId)
             .executeTakeFirst();
         if (!row) {
             throw new Error(`Channel not found: ${channelId}`);
         }
         return {
-            channelId: row.channel_id,
-            channelName: row.channel_name,
-            openingData: parseJson(row.opening_data) ?? {},
-            session: (parseJson(row.user_session) ?? {}),
+            channelId: row.channelId,
+            channelName: row.channelName,
+            openingData: parseJson(row.openingData) ?? {},
+            session: (parseJson(row.userSession) ?? {}),
         };
     }
     async close() { }

package/dist/src/kysely-credential-service.d.ts

@@ -0,0 +1,30 @@
+import type { CredentialService } from '@pikku/core/services';
+import type { Kysely } from 'kysely';
+import type { KyselyPikkuDB } from './kysely-tables.js';
+export interface KyselyCredentialServiceConfig {
+    key: string;
+    keyVersion?: number;
+    previousKey?: string;
+    audit?: boolean;
+    auditReads?: boolean;
+}
+export declare class KyselyCredentialService implements CredentialService {
+    private db;
+    private initialized;
+    private key;
+    private keyVersion;
+    private previousKey?;
+    private audit;
+    private auditReads;
+    constructor(db: Kysely<KyselyPikkuDB>, config: KyselyCredentialServiceConfig);
+    init(): Promise<void>;
+    private logAudit;
+    private getKEK;
+    private whereUserId;
+    get<T = unknown>(name: string, userId?: string): Promise<T | null>;
+    set(name: string, value: unknown, userId?: string): Promise<void>;
+    delete(name: string, userId?: string): Promise<void>;
+    has(name: string, userId?: string): Promise<boolean>;
+    getAll(userId: string): Promise<Record<string, unknown>>;
+    rotateKEK(): Promise<number>;
+}

package/dist/src/kysely-credential-service.js

@@ -0,0 +1,188 @@
+import { sql } from 'kysely';
+import { envelopeEncrypt, envelopeDecrypt, envelopeRewrap, } from '@pikku/core/crypto-utils';
+export class KyselyCredentialService {
+    db;
+    initialized = false;
+    key;
+    keyVersion;
+    previousKey;
+    audit;
+    auditReads;
+    constructor(db, config) {
+        this.db = db;
+        this.key = config.key;
+        this.keyVersion = config.keyVersion ?? 1;
+        this.previousKey = config.previousKey;
+        this.audit = config.audit ?? false;
+        this.auditReads = config.auditReads ?? false;
+    }
+    async init() {
+        if (this.initialized)
+            return;
+        await this.db.schema
+            .createTable('credentials')
+            .ifNotExists()
+            .addColumn('name', 'varchar(255)', (col) => col.notNull())
+            .addColumn('user_id', 'varchar(255)')
+            .addColumn('ciphertext', 'text', (col) => col.notNull())
+            .addColumn('wrapped_dek', 'text', (col) => col.notNull())
+            .addColumn('key_version', 'integer', (col) => col.notNull())
+            .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .addColumn('updated_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .execute();
+        await sql `CREATE UNIQUE INDEX IF NOT EXISTS credentials_name_user_id_unique ON credentials (name, COALESCE(user_id, ''))`.execute(this.db);
+        if (this.audit) {
+            await this.db.schema
+                .createTable('credentials_audit')
+                .ifNotExists()
+                .addColumn('id', 'varchar(36)', (col) => col.primaryKey())
+                .addColumn('credential_name', 'varchar(255)', (col) => col.notNull())
+                .addColumn('user_id', 'varchar(255)')
+                .addColumn('action', 'varchar(20)', (col) => col.notNull())
+                .addColumn('performed_at', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+                .execute();
+        }
+        this.initialized = true;
+    }
+    async logAudit(name, userId, action) {
+        if (!this.audit)
+            return;
+        if (action === 'read' && !this.auditReads)
+            return;
+        await this.db
+            .insertInto('credentialsAudit')
+            .values({
+            id: crypto.randomUUID(),
+            credentialName: name,
+            userId: userId ?? null,
+            action,
+            performedAt: new Date().toISOString(),
+        })
+            .execute();
+    }
+    getKEK(version) {
+        if (version === this.keyVersion)
+            return this.key;
+        if (this.previousKey)
+            return this.previousKey;
+        throw new Error(`No KEK available for key_version ${version}`);
+    }
+    whereUserId(qb, userId) {
+        return userId
+            ? qb.where('userId', '=', userId)
+            : qb.where('userId', 'is', null);
+    }
+    async get(name, userId) {
+        let qb = this.db
+            .selectFrom('credentials')
+            .select(['ciphertext', 'wrappedDek', 'keyVersion'])
+            .where('name', '=', name);
+        qb = this.whereUserId(qb, userId);
+        const row = await qb.executeTakeFirst();
+        if (!row)
+            return null;
+        const kek = this.getKEK(row.keyVersion);
+        const plaintext = await envelopeDecrypt(kek, row.ciphertext, row.wrappedDek);
+        await this.logAudit(name, userId, 'read');
+        try {
+            return JSON.parse(plaintext);
+        }
+        catch {
+            throw new Error(`Credential '${name}' contains invalid data`);
+        }
+    }
+    async set(name, value, userId) {
+        const plaintext = JSON.stringify(value);
+        const { ciphertext, wrappedDEK } = await envelopeEncrypt(this.key, plaintext);
+        const now = new Date().toISOString();
+        const exists = await this.has(name, userId);
+        if (exists) {
+            let qb = this.db
+                .updateTable('credentials')
+                .set({
+                ciphertext,
+                wrappedDek: wrappedDEK,
+                keyVersion: this.keyVersion,
+                updatedAt: now,
+            })
+                .where('name', '=', name);
+            qb = this.whereUserId(qb, userId);
+            await qb.execute();
+        }
+        else {
+            await this.db
+                .insertInto('credentials')
+                .values({
+                name,
+                userId: userId ?? null,
+                ciphertext,
+                wrappedDek: wrappedDEK,
+                keyVersion: this.keyVersion,
+                createdAt: now,
+                updatedAt: now,
+            })
+                .execute();
+        }
+        await this.logAudit(name, userId, 'write');
+    }
+    async delete(name, userId) {
+        let qb = this.db.deleteFrom('credentials').where('name', '=', name);
+        qb = this.whereUserId(qb, userId);
+        await qb.execute();
+        await this.logAudit(name, userId, 'delete');
+    }
+    async has(name, userId) {
+        let qb = this.db
+            .selectFrom('credentials')
+            .select('name')
+            .where('name', '=', name);
+        qb = this.whereUserId(qb, userId);
+        const row = await qb.executeTakeFirst();
+        return !!row;
+    }
+    async getAll(userId) {
+        const rows = await this.db
+            .selectFrom('credentials')
+            .select(['name', 'ciphertext', 'wrappedDek', 'keyVersion'])
+            .where('userId', '=', userId)
+            .execute();
+        const result = {};
+        for (const row of rows) {
+            const kek = this.getKEK(row.keyVersion);
+            const plaintext = await envelopeDecrypt(kek, row.ciphertext, row.wrappedDek);
+            try {
+                result[row.name] = JSON.parse(plaintext);
+            }
+            catch {
+                throw new Error(`Credential '${row.name}' contains invalid data`);
+            }
+            await this.logAudit(row.name, userId, 'read');
+        }
+        return result;
+    }
+    async rotateKEK() {
+        if (!this.previousKey) {
+            throw new Error('No previousKey configured — nothing to rotate from');
+        }
+        const rows = await this.db
+            .selectFrom('credentials')
+            .select(['name', 'userId', 'wrappedDek'])
+            .where('keyVersion', '<', this.keyVersion)
+            .execute();
+        for (const row of rows) {
+            const newWrappedDEK = await envelopeRewrap(this.previousKey, this.key, row.wrappedDek);
+            let qb = this.db
+                .updateTable('credentials')
+                .set({
+                wrappedDek: newWrappedDEK,
+                keyVersion: this.keyVersion,
+                updatedAt: new Date().toISOString(),
+            })
+                .where('name', '=', row.name);
+            qb = this.whereUserId(qb, row.userId ?? undefined);
+            await qb.execute();
+            await this.logAudit(row.name, row.userId ?? undefined, 'rotate');
+        }
+        return rows.length;
+    }
+}

package/dist/src/kysely-deployment-service.js

@@ -54,27 +54,27 @@ export class KyselyDeploymentService {
         this.deploymentConfig = { ...config, functions };
         await this.db.transaction().execute(async (trx) => {
             await trx
-                .insertInto('pikku_deployments')
+                .insertInto('pikkuDeployments')
                 .values({
-                deployment_id: config.deploymentId,
+                deploymentId: config.deploymentId,
                 endpoint: config.endpoint,
-                last_heartbeat: new Date(),
+                lastHeartbeat: new Date(),
             })
-                .onConflict((oc) => oc.column('deployment_id').doUpdateSet({
+                .onConflict((oc) => oc.column('deploymentId').doUpdateSet({
                 endpoint: config.endpoint,
-                last_heartbeat: new Date(),
+                lastHeartbeat: new Date(),
             }))
                 .execute();
             await trx
-                .deleteFrom('pikku_deployment_functions')
-                .where('deployment_id', '=', config.deploymentId)
+                .deleteFrom('pikkuDeploymentFunctions')
+                .where('deploymentId', '=', config.deploymentId)
                 .execute();
             if (functions.length > 0) {
                 await trx
-                    .insertInto('pikku_deployment_functions')
+                    .insertInto('pikkuDeploymentFunctions')
                     .values(functions.map((fn) => ({
-                    deployment_id: config.deploymentId,
-                    function_name: fn,
+                    deploymentId: config.deploymentId,
+                    functionName: fn,
                 })))
                     .execute();
             }
@@ -88,8 +88,8 @@ export class KyselyDeploymentService {
         }
         if (this.deploymentConfig) {
             await this.db
-                .deleteFrom('pikku_deployments')
-                .where('deployment_id', '=', this.deploymentConfig.deploymentId)
+                .deleteFrom('pikkuDeployments')
+                .where('deploymentId', '=', this.deploymentConfig.deploymentId)
                 .execute();
         }
     }
@@ -97,15 +97,15 @@ export class KyselyDeploymentService {
         const ttlMs = this.heartbeatTtl;
         const cutoff = new Date(Date.now() - ttlMs);
         const result = await this.db
-            .selectFrom('pikku_deployments as d')
-            .innerJoin('pikku_deployment_functions as f', 'f.deployment_id', 'd.deployment_id')
-            .select(['d.deployment_id', 'd.endpoint'])
-            .where('f.function_name', '=', name)
-            .where('d.last_heartbeat', '>', cutoff)
-            .orderBy('d.last_heartbeat', 'desc')
+            .selectFrom('pikkuDeployments as d')
+            .innerJoin('pikkuDeploymentFunctions as f', 'f.deploymentId', 'd.deploymentId')
+            .select(['d.deploymentId', 'd.endpoint'])
+            .where('f.functionName', '=', name)
+            .where('d.lastHeartbeat', '>', cutoff)
+            .orderBy('d.lastHeartbeat', 'desc')
             .execute();
         return result.map((row) => ({
-            deploymentId: row.deployment_id,
+            deploymentId: row.deploymentId,
             endpoint: row.endpoint,
         }));
     }
@@ -128,9 +128,9 @@ export class KyselyDeploymentService {
             return;
         try {
             await this.db
-                .updateTable('pikku_deployments')
-                .set({ last_heartbeat: new Date() })
-                .where('deployment_id', '=', this.deploymentConfig.deploymentId)
+                .updateTable('pikkuDeployments')
+                .set({ lastHeartbeat: new Date() })
+                .where('deploymentId', '=', this.deploymentConfig.deploymentId)
                 .execute();
         }
         catch {

package/dist/src/kysely-eventhub-store.js

@@ -14,18 +14,18 @@ export class KyselyEventHubStore extends EventHubStore {
     }
     async getChannelIdsForTopic(topic) {
         const result = await this.db
-            .selectFrom('channel_subscriptions')
-            .select('channel_id')
+            .selectFrom('channelSubscriptions')
+            .select('channelId')
             .where('topic', '=', topic)
             .execute();
-        return result.map((row) => row.channel_id);
+        return result.map((row) => row.channelId);
     }
     async subscribe(topic, channelId) {
         try {
             await this.db
-                .insertInto('channel_subscriptions')
-                .values({ channel_id: channelId, topic: topic })
-                .onConflict((oc) => oc.columns(['channel_id', 'topic']).doNothing())
+                .insertInto('channelSubscriptions')
+                .values({ channelId: channelId, topic: topic })
+                .onConflict((oc) => oc.columns(['channelId', 'topic']).doNothing())
                 .execute();
             return true;
         }
@@ -35,8 +35,8 @@ export class KyselyEventHubStore extends EventHubStore {
     }
     async unsubscribe(topic, channelId) {
         const result = await this.db
-            .deleteFrom('channel_subscriptions')
-            .where('channel_id', '=', channelId)
+            .deleteFrom('channelSubscriptions')
+            .where('channelId', '=', channelId)
             .where('topic', '=', topic)
             .executeTakeFirst();
         return BigInt(result.numDeletedRows) > 0n;

package/dist/src/kysely-secret-service.js

@@ -47,12 +47,12 @@ export class KyselySecretService {
         if (action === 'read' && !this.auditReads)
             return;
         await this.db
-            .insertInto('secrets_audit')
+            .insertInto('secretsAudit')
             .values({
             id: crypto.randomUUID(),
-            secret_key: secretKey,
+            secretKey: secretKey,
             action,
-            performed_at: new Date().toISOString(),
+            performedAt: new Date().toISOString(),
         })
             .execute();
     }
@@ -66,13 +66,13 @@ export class KyselySecretService {
     async getSecret(key) {
         const row = await this.db
             .selectFrom('secrets')
-            .select(['ciphertext', 'wrapped_dek', 'key_version'])
+            .select(['ciphertext', 'wrappedDek', 'keyVersion'])
             .where('key', '=', key)
             .executeTakeFirst();
         if (!row)
             throw new Error('Requested secret not found');
-        const kek = this.getKEK(row.key_version);
-        const result = await envelopeDecrypt(kek, row.ciphertext, row.wrapped_dek);
+        const kek = this.getKEK(row.keyVersion);
+        const result = await envelopeDecrypt(kek, row.ciphertext, row.wrappedDek);
         await this.logAudit(key, 'read');
         return result;
     }
@@ -97,16 +97,16 @@ export class KyselySecretService {
             .values({
             key,
             ciphertext,
-            wrapped_dek: wrappedDEK,
-            key_version: this.keyVersion,
-            created_at: now,
-            updated_at: now,
+            wrappedDek: wrappedDEK,
+            keyVersion: this.keyVersion,
+            createdAt: now,
+            updatedAt: now,
         })
             .onConflict((oc) => oc.column('key').doUpdateSet({
             ciphertext,
-            wrapped_dek: wrappedDEK,
-            key_version: this.keyVersion,
-            updated_at: now,
+            wrappedDek: wrappedDEK,
+            keyVersion: this.keyVersion,
+            updatedAt: now,
         }))
             .execute();
         await this.logAudit(key, 'write');
@@ -121,17 +121,17 @@ export class KyselySecretService {
         }
         const rows = await this.db
             .selectFrom('secrets')
-            .select(['key', 'wrapped_dek'])
-            .where('key_version', '<', this.keyVersion)
+            .select(['key', 'wrappedDek'])
+            .where('keyVersion', '<', this.keyVersion)
             .execute();
         for (const row of rows) {
-            const newWrappedDEK = await envelopeRewrap(this.previousKey, this.key, row.wrapped_dek);
+            const newWrappedDEK = await envelopeRewrap(this.previousKey, this.key, row.wrappedDek);
             await this.db
                 .updateTable('secrets')
                 .set({
-                wrapped_dek: newWrappedDEK,
-                key_version: this.keyVersion,
-                updated_at: new Date().toISOString(),
+                wrappedDek: newWrappedDEK,
+                keyVersion: this.keyVersion,
+                updatedAt: new Date().toISOString(),
             })
                 .where('key', '=', row.key)
                 .execute();