@pikku/kysely 0.12.7 → 0.12.9

package/CHANGELOG.md

@@ -1,5 +1,43 @@
 ## 0.12.0
 
+## 0.12.9
+
+### Patch Changes
+
+- 624097e: Add deploy pipeline with provider-agnostic architecture
+
+  - Add MetaService with explicit typed API, absorb WiringService reads
+  - Add deployment service, traceId propagation, scoped logger
+  - Rewrite analyzer: one function = one worker, gateways dispatch via RPC
+  - Add Cloudflare deploy provider with plan/apply commands
+  - Add per-unit filtered codegen for deploy pipeline
+  - Skip missing metadata in wiring registration for deploy units
+  - Fix schema coercion crash when schema has no properties
+  - Fix E2E codegen: double-pass resolves cross-package Zod type imports
+
+- Updated dependencies [9e8605f]
+- Updated dependencies [624097e]
+- Updated dependencies [7ab3243]
+  - @pikku/core@0.12.15
+
+## 0.12.8
+
+### Patch Changes
+
+- f85c234: Add unified credential system with per-user OAuth and AI agent pre-flight checks
+
+  - Unified CredentialService with lazy loading per user via pikkuUserId
+  - wire.getCredential() for typed single credential lookup
+  - MissingCredentialError with structured payload for client-side connect flows
+  - Console UI: Global/Users credential tabs, per-user OAuth connect/revoke
+  - AI agent pre-flight check: detects missing OAuth credentials from addon metadata, shows "Connect your accounts" prompt before chat
+  - CLI codegen: generates credentialsMeta per addon package for runtime lookup
+  - Vercel AI runner: catches MissingCredentialError as runtime fallback
+
+- Updated dependencies [f85c234]
+- Updated dependencies [88d3100]
+  - @pikku/core@0.12.14
+
 ## 0.12.7
 
 ### Patch Changes

package/dist/src/index.d.ts

@@ -4,7 +4,8 @@ export { KyselyWorkflowService } from './kysely-workflow-service.js';
 export { KyselyWorkflowRunService } from './kysely-workflow-run-service.js';
 export { KyselyDeploymentService } from './kysely-deployment-service.js';
 export { KyselyAIStorageService } from './kysely-ai-storage-service.js';
-export { KyselyAgentRunService } from './kysely-agent-run-service.js';
+export { KyselyAgentRunService } from './kysely-ai-agent-run-service.js';
+export { KyselyAIRunStateService } from './kysely-ai-run-state-service.js';
 export { KyselySecretService } from './kysely-secret-service.js';
 export type { KyselySecretServiceConfig } from './kysely-secret-service.js';
 export { KyselyCredentialService } from './kysely-credential-service.js';

package/dist/src/index.js

@@ -4,6 +4,7 @@ export { KyselyWorkflowService } from './kysely-workflow-service.js';
 export { KyselyWorkflowRunService } from './kysely-workflow-run-service.js';
 export { KyselyDeploymentService } from './kysely-deployment-service.js';
 export { KyselyAIStorageService } from './kysely-ai-storage-service.js';
-export { KyselyAgentRunService } from './kysely-agent-run-service.js';
+export { KyselyAgentRunService } from './kysely-ai-agent-run-service.js';
+export { KyselyAIRunStateService } from './kysely-ai-run-state-service.js';
 export { KyselySecretService } from './kysely-secret-service.js';
 export { KyselyCredentialService } from './kysely-credential-service.js';

package/dist/src/kysely-ai-run-state-service.d.ts

@@ -0,0 +1,20 @@
+import type { Kysely } from 'kysely';
+import type { KyselyPikkuDB } from './kysely-tables.js';
+import type { AIRunStateService, CreateRunInput } from '@pikku/core/services';
+import type { AgentRunState, PendingApproval } from '@pikku/core/ai-agent';
+export declare class KyselyAIRunStateService implements AIRunStateService {
+    private db;
+    private initialized;
+    constructor(db: Kysely<KyselyPikkuDB>);
+    init(): Promise<void>;
+    createRun(run: CreateRunInput): Promise<string>;
+    updateRun(runId: string, updates: Partial<AgentRunState>): Promise<void>;
+    getRun(runId: string): Promise<AgentRunState | null>;
+    getRunsByThread(threadId: string): Promise<AgentRunState[]>;
+    resolveApproval(toolCallId: string, status: 'approved' | 'denied'): Promise<void>;
+    findRunByToolCallId(toolCallId: string): Promise<{
+        run: AgentRunState;
+        approval: PendingApproval;
+    } | null>;
+    private toRunState;
+}

package/dist/src/kysely-ai-run-state-service.js

@@ -0,0 +1,172 @@
+import { sql } from 'kysely';
+export class KyselyAIRunStateService {
+    db;
+    initialized = false;
+    constructor(db) {
+        this.db = db;
+    }
+    async init() {
+        if (this.initialized)
+            return;
+        await this.db.schema
+            .createTable('aiRun')
+            .ifNotExists()
+            .addColumn('runId', 'text', (col) => col.primaryKey())
+            .addColumn('agentName', 'text', (col) => col.notNull())
+            .addColumn('threadId', 'text', (col) => col.notNull())
+            .addColumn('resourceId', 'text', (col) => col.notNull())
+            .addColumn('status', 'text', (col) => col.defaultTo('running').notNull())
+            .addColumn('errorMessage', 'text')
+            .addColumn('suspendReason', 'text')
+            .addColumn('missingRpcs', 'text')
+            .addColumn('pendingApprovals', 'text')
+            .addColumn('usageInputTokens', 'integer', (col) => col.defaultTo(0))
+            .addColumn('usageOutputTokens', 'integer', (col) => col.defaultTo(0))
+            .addColumn('usageModel', 'text', (col) => col.defaultTo(''))
+            .addColumn('createdAt', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .addColumn('updatedAt', 'timestamp', (col) => col.defaultTo(sql `CURRENT_TIMESTAMP`).notNull())
+            .execute();
+        this.initialized = true;
+    }
+    async createRun(run) {
+        const runId = `run-${crypto.randomUUID()}`;
+        await this.db
+            .insertInto('aiRun')
+            .values({
+            runId,
+            agentName: run.agentName,
+            threadId: run.threadId,
+            resourceId: run.resourceId,
+            status: run.status ?? 'running',
+            errorMessage: run.errorMessage ?? null,
+            suspendReason: run.suspendReason ?? null,
+            missingRpcs: run.missingRpcs ? JSON.stringify(run.missingRpcs) : null,
+            usageInputTokens: run.usage?.inputTokens ?? 0,
+            usageOutputTokens: run.usage?.outputTokens ?? 0,
+            usageModel: run.usage?.model ?? '',
+        })
+            .execute();
+        return runId;
+    }
+    async updateRun(runId, updates) {
+        const values = {
+            updatedAt: sql `CURRENT_TIMESTAMP`,
+        };
+        if (updates.status !== undefined)
+            values.status = updates.status;
+        if (updates.errorMessage !== undefined)
+            values.errorMessage = updates.errorMessage;
+        if (updates.suspendReason !== undefined)
+            values.suspendReason = updates.suspendReason;
+        if (updates.missingRpcs !== undefined)
+            values.missingRpcs = JSON.stringify(updates.missingRpcs);
+        if (updates.pendingApprovals !== undefined)
+            values.pendingApprovals = JSON.stringify(updates.pendingApprovals);
+        if (updates.usage) {
+            values.usageInputTokens = updates.usage.inputTokens;
+            values.usageOutputTokens = updates.usage.outputTokens;
+            values.usageModel = updates.usage.model;
+        }
+        await this.db
+            .updateTable('aiRun')
+            .set(values)
+            .where('runId', '=', runId)
+            .execute();
+    }
+    async getRun(runId) {
+        const row = await this.db
+            .selectFrom('aiRun')
+            .selectAll()
+            .where('runId', '=', runId)
+            .executeTakeFirst();
+        return row ? this.toRunState(row) : null;
+    }
+    async getRunsByThread(threadId) {
+        const rows = await this.db
+            .selectFrom('aiRun')
+            .selectAll()
+            .where('threadId', '=', threadId)
+            .orderBy('createdAt', 'desc')
+            .execute();
+        return rows.map((r) => this.toRunState(r));
+    }
+    async resolveApproval(toolCallId, status) {
+        const rows = await this.db
+            .selectFrom('aiRun')
+            .select(['runId', 'pendingApprovals'])
+            .where('status', '=', 'suspended')
+            .execute();
+        for (const row of rows) {
+            let approvals = [];
+            if (row.pendingApprovals) {
+                try {
+                    approvals = JSON.parse(row.pendingApprovals);
+                }
+                catch {
+                    console.warn(`Failed to parse pendingApprovals for run ${row.runId}, treating as empty`);
+                }
+            }
+            const filtered = approvals.filter((a) => a.toolCallId !== toolCallId);
+            if (filtered.length !== approvals.length) {
+                const updates = {
+                    pendingApprovals: filtered.length > 0 ? JSON.stringify(filtered) : null,
+                    updatedAt: sql `CURRENT_TIMESTAMP`,
+                };
+                if (filtered.length === 0) {
+                    updates.status = status;
+                }
+                await this.db
+                    .updateTable('aiRun')
+                    .set(updates)
+                    .where('runId', '=', row.runId)
+                    .execute();
+                return;
+            }
+        }
+    }
+    async findRunByToolCallId(toolCallId) {
+        const rows = await this.db
+            .selectFrom('aiRun')
+            .selectAll()
+            .where('status', '=', 'suspended')
+            .execute();
+        for (const row of rows) {
+            let approvals = [];
+            if (row.pendingApprovals) {
+                try {
+                    approvals = JSON.parse(row.pendingApprovals);
+                }
+                catch {
+                    console.warn(`Failed to parse pendingApprovals for run ${row.runId}, treating as empty`);
+                }
+            }
+            const approval = approvals.find((a) => a.toolCallId === toolCallId);
+            if (approval) {
+                return { run: this.toRunState(row), approval };
+            }
+        }
+        return null;
+    }
+    toRunState(row) {
+        return {
+            runId: row.runId,
+            agentName: row.agentName,
+            threadId: row.threadId,
+            resourceId: row.resourceId,
+            status: row.status,
+            errorMessage: row.errorMessage ?? undefined,
+            suspendReason: row.suspendReason ?? undefined,
+            missingRpcs: row.missingRpcs ? JSON.parse(row.missingRpcs) : undefined,
+            pendingApprovals: row.pendingApprovals
+                ? JSON.parse(row.pendingApprovals)
+                : undefined,
+            usage: {
+                inputTokens: row.usageInputTokens ?? 0,
+                outputTokens: row.usageOutputTokens ?? 0,
+                model: row.usageModel ?? '',
+            },
+            createdAt: new Date(row.createdAt),
+            updatedAt: new Date(row.updatedAt),
+        };
+    }
+}

package/dist/src/kysely-credential-service.d.ts

@@ -26,5 +26,7 @@ export declare class KyselyCredentialService implements CredentialService {
     delete(name: string, userId?: string): Promise<void>;
     has(name: string, userId?: string): Promise<boolean>;
     getAll(userId: string): Promise<Record<string, unknown>>;
+    getUsersWithCredential(name: string): Promise<string[]>;
+    getAllUsers(): Promise<string[]>;
     rotateKEK(): Promise<number>;
 }

package/dist/src/kysely-credential-service.js

@@ -160,6 +160,24 @@ export class KyselyCredentialService {
         }
         return result;
     }
+    async getUsersWithCredential(name) {
+        const rows = await this.db
+            .selectFrom('credentials')
+            .select('userId')
+            .where('name', '=', name)
+            .where('userId', 'is not', null)
+            .execute();
+        return rows.map((row) => row.userId).filter(Boolean);
+    }
+    async getAllUsers() {
+        const rows = await this.db
+            .selectFrom('credentials')
+            .select('userId')
+            .distinct()
+            .where('userId', 'is not', null)
+            .execute();
+        return rows.map((row) => row.userId).filter(Boolean);
+    }
     async rotateKEK() {
         if (!this.previousKey) {
             throw new Error('No previousKey configured — nothing to rotate from');

package/dist/src/kysely-deployment-service.d.ts

@@ -1,18 +1,21 @@
-import type { DeploymentService, DeploymentServiceConfig, DeploymentConfig, DeploymentInfo } from '@pikku/core/services';
+import type { DeploymentService, DeploymentServiceConfig, DeploymentConfig } from '@pikku/core/services';
+import type { JWTService, SecretService } from '@pikku/core/services';
 import type { Kysely } from 'kysely';
 import type { KyselyPikkuDB } from './kysely-tables.js';
 export declare class KyselyDeploymentService implements DeploymentService {
     protected db: Kysely<KyselyPikkuDB>;
+    private jwt?;
+    private secrets?;
     private initialized;
     private heartbeatTimer?;
     private deploymentConfig?;
     private heartbeatInterval;
     private heartbeatTtl;
-    constructor(config: DeploymentServiceConfig, db: Kysely<KyselyPikkuDB>);
+    constructor(config: DeploymentServiceConfig, db: Kysely<KyselyPikkuDB>, jwt?: JWTService | undefined, secrets?: SecretService | undefined);
     init(): Promise<void>;
     start(config: DeploymentConfig): Promise<void>;
     stop(): Promise<void>;
-    findFunction(name: string): Promise<DeploymentInfo[]>;
+    invoke(funcName: string, data: unknown, session?: unknown, traceId?: string): Promise<unknown>;
     private createIndexSafe;
     private sendHeartbeat;
 }

package/dist/src/kysely-deployment-service.js

@@ -1,14 +1,19 @@
+import { buildRemoteHeaders } from '@pikku/core/remote';
 import { getAllFunctionNames } from '@pikku/core/function';
 import { sql } from 'kysely';
 export class KyselyDeploymentService {
     db;
+    jwt;
+    secrets;
     initialized = false;
     heartbeatTimer;
     deploymentConfig;
     heartbeatInterval;
     heartbeatTtl;
-    constructor(config, db) {
+    constructor(config, db, jwt, secrets) {
         this.db = db;
+        this.jwt = jwt;
+        this.secrets = secrets;
         this.heartbeatInterval = config.heartbeatInterval ?? 10000;
         this.heartbeatTtl = config.heartbeatTtl ?? 30000;
     }
@@ -93,21 +98,36 @@ export class KyselyDeploymentService {
                 .execute();
         }
     }
-    async findFunction(name) {
+    async invoke(funcName, data, session, traceId) {
+        const headers = await buildRemoteHeaders(this.jwt, this.secrets, funcName, session, traceId);
         const ttlMs = this.heartbeatTtl;
         const cutoff = new Date(Date.now() - ttlMs);
         const result = await this.db
             .selectFrom('pikkuDeployments as d')
             .innerJoin('pikkuDeploymentFunctions as f', 'f.deploymentId', 'd.deploymentId')
             .select(['d.deploymentId', 'd.endpoint'])
-            .where('f.functionName', '=', name)
+            .where('f.functionName', '=', funcName)
             .where('d.lastHeartbeat', '>', cutoff)
             .orderBy('d.lastHeartbeat', 'desc')
+            .limit(1)
             .execute();
-        return result.map((row) => ({
-            deploymentId: row.deploymentId,
-            endpoint: row.endpoint,
-        }));
+        if (result.length === 0) {
+            throw new Error(`No deployment found for function '${funcName}'`);
+        }
+        const endpoint = result[0].endpoint;
+        const url = `${endpoint}/remote/rpc/${encodeURIComponent(funcName)}`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json',
+                ...headers,
+            },
+            body: JSON.stringify({ data }),
+        });
+        if (!response.ok) {
+            throw new Error(`Remote RPC call to '${funcName}' failed: ${response.status}`);
+        }
+        return response.json();
     }
     async createIndexSafe(builder) {
         try {

package/dist/src/kysely-tables.d.ts

@@ -105,7 +105,7 @@ export interface AIRunTable {
     resourceId: string;
     status: Generated<'running' | 'suspended' | 'completed' | 'failed'>;
     errorMessage: string | null;
-    suspendReason: 'approval' | 'rpc-missing' | null;
+    suspendReason: 'approval' | 'credential' | 'rpc-missing' | null;
     missingRpcs: string | null;
     usageInputTokens: Generated<number>;
     usageOutputTokens: Generated<number>;

package/dist/src/kysely-workflow-run-service.js

@@ -175,7 +175,7 @@ export class KyselyWorkflowRunService {
         let query = this.db
             .selectFrom('workflowVersions')
             .select(['workflowName', 'graphHash', 'graph'])
-            .where('source', '=', 'ai-agent')
+            .where('source', '=', 'dynamic-workflow')
             .where('status', '=', 'active');
         if (agentName) {
             query = query.where('workflowName', 'like', `ai:${agentName}:%`);

package/dist/src/kysely-workflow-service.js

@@ -105,8 +105,8 @@ export class KyselyWorkflowService extends PikkuWorkflowService {
             status: 'running',
             input: JSON.stringify(input),
             inline,
-            graphHash: graphHash,
-            wire: JSON.stringify(wire),
+            graphHash: graphHash ?? null,
+            wire: wire ? JSON.stringify(wire) : null,
         })
             .execute();
         return id;
@@ -486,7 +486,20 @@ export class KyselyWorkflowService extends PikkuWorkflowService {
         return this.runService.getWorkflowVersion(name, graphHash);
     }
     async getAIGeneratedWorkflows(agentName) {
-        return this.runService.getAIGeneratedWorkflows(agentName);
+        let query = this.db
+            .selectFrom('workflowVersions')
+            .select(['workflowName', 'graphHash', 'graph'])
+            .where('source', '=', 'dynamic-workflow')
+            .where('status', '=', 'active');
+        if (agentName) {
+            query = query.where('workflowName', 'like', `ai:${agentName}:%`);
+        }
+        const rows = await query.execute();
+        return rows.map((row) => ({
+            workflowName: row.workflowName,
+            graphHash: row.graphHash,
+            graph: typeof row.graph === 'string' ? JSON.parse(row.graph) : row.graph,
+        }));
     }
     async close() { }
 }

package/dist/tsconfig.tsbuildinfo

@@ -1 +1 @@
-{"root":["../src/index.ts","../src/kysely-agent-run-service.ts","../src/kysely-ai-storage-service.ts","../src/kysely-channel-store.ts","../src/kysely-credential-service.ts","../src/kysely-deployment-service.ts","../src/kysely-eventhub-store.ts","../src/kysely-json.ts","../src/kysely-secret-service.ts","../src/kysely-tables.ts","../src/kysely-workflow-run-service.ts","../src/kysely-workflow-service.ts","../bin/pikku-kysely-pure.ts"],"version":"5.9.3"}
+{"root":["../src/index.ts","../src/kysely-ai-agent-run-service.ts","../src/kysely-ai-run-state-service.ts","../src/kysely-ai-storage-service.ts","../src/kysely-channel-store.ts","../src/kysely-credential-service.ts","../src/kysely-deployment-service.ts","../src/kysely-eventhub-store.ts","../src/kysely-json.ts","../src/kysely-secret-service.ts","../src/kysely-tables.ts","../src/kysely-workflow-run-service.ts","../src/kysely-workflow-service.ts","../bin/pikku-kysely-pure.ts"],"version":"5.9.3"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/kysely",
-  "version": "0.12.7",
+  "version": "0.12.9",
   "author": "yasser.fadl@gmail.com",
   "license": "MIT",
   "module": "dist/src/index.js",
@@ -20,7 +20,7 @@
     "prepublishOnly": "yarn build"
   },
   "peerDependencies": {
-    "@pikku/core": "^0.12.10"
+    "@pikku/core": "^0.12.15"
   },
   "dependencies": {
     "kysely": "^0.28.12"

package/src/index.ts

@@ -4,7 +4,8 @@ export { KyselyWorkflowService } from './kysely-workflow-service.js'
 export { KyselyWorkflowRunService } from './kysely-workflow-run-service.js'
 export { KyselyDeploymentService } from './kysely-deployment-service.js'
 export { KyselyAIStorageService } from './kysely-ai-storage-service.js'
-export { KyselyAgentRunService } from './kysely-agent-run-service.js'
+export { KyselyAgentRunService } from './kysely-ai-agent-run-service.js'
+export { KyselyAIRunStateService } from './kysely-ai-run-state-service.js'
 export { KyselySecretService } from './kysely-secret-service.js'
 export type { KyselySecretServiceConfig } from './kysely-secret-service.js'
 export { KyselyCredentialService } from './kysely-credential-service.js'

package/src/kysely-ai-run-state-service.ts

@@ -0,0 +1,197 @@
+import { sql } from 'kysely'
+import type { Kysely } from 'kysely'
+import type { KyselyPikkuDB } from './kysely-tables.js'
+import type { AIRunStateService, CreateRunInput } from '@pikku/core/services'
+import type { AgentRunState, PendingApproval } from '@pikku/core/ai-agent'
+
+export class KyselyAIRunStateService implements AIRunStateService {
+  private initialized = false
+
+  constructor(private db: Kysely<KyselyPikkuDB>) {}
+
+  async init(): Promise<void> {
+    if (this.initialized) return
+
+    await this.db.schema
+      .createTable('aiRun')
+      .ifNotExists()
+      .addColumn('runId', 'text', (col) => col.primaryKey())
+      .addColumn('agentName', 'text', (col) => col.notNull())
+      .addColumn('threadId', 'text', (col) => col.notNull())
+      .addColumn('resourceId', 'text', (col) => col.notNull())
+      .addColumn('status', 'text', (col) => col.defaultTo('running').notNull())
+      .addColumn('errorMessage', 'text')
+      .addColumn('suspendReason', 'text')
+      .addColumn('missingRpcs', 'text')
+      .addColumn('pendingApprovals', 'text')
+      .addColumn('usageInputTokens', 'integer', (col) => col.defaultTo(0))
+      .addColumn('usageOutputTokens', 'integer', (col) => col.defaultTo(0))
+      .addColumn('usageModel', 'text', (col) => col.defaultTo(''))
+      .addColumn('createdAt', 'timestamp', (col) =>
+        col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+      )
+      .addColumn('updatedAt', 'timestamp', (col) =>
+        col.defaultTo(sql`CURRENT_TIMESTAMP`).notNull()
+      )
+      .execute()
+
+    this.initialized = true
+  }
+
+  async createRun(run: CreateRunInput): Promise<string> {
+    const runId = `run-${crypto.randomUUID()}`
+    await this.db
+      .insertInto('aiRun')
+      .values({
+        runId,
+        agentName: run.agentName,
+        threadId: run.threadId,
+        resourceId: run.resourceId,
+        status: run.status ?? 'running',
+        errorMessage: run.errorMessage ?? null,
+        suspendReason: run.suspendReason ?? null,
+        missingRpcs: run.missingRpcs ? JSON.stringify(run.missingRpcs) : null,
+        usageInputTokens: run.usage?.inputTokens ?? 0,
+        usageOutputTokens: run.usage?.outputTokens ?? 0,
+        usageModel: run.usage?.model ?? '',
+      })
+      .execute()
+    return runId
+  }
+
+  async updateRun(
+    runId: string,
+    updates: Partial<AgentRunState>
+  ): Promise<void> {
+    const values: Record<string, unknown> = {
+      updatedAt: sql`CURRENT_TIMESTAMP`,
+    }
+    if (updates.status !== undefined) values.status = updates.status
+    if (updates.errorMessage !== undefined)
+      values.errorMessage = updates.errorMessage
+    if (updates.suspendReason !== undefined)
+      values.suspendReason = updates.suspendReason
+    if (updates.missingRpcs !== undefined)
+      values.missingRpcs = JSON.stringify(updates.missingRpcs)
+    if (updates.pendingApprovals !== undefined)
+      values.pendingApprovals = JSON.stringify(updates.pendingApprovals)
+    if (updates.usage) {
+      values.usageInputTokens = updates.usage.inputTokens
+      values.usageOutputTokens = updates.usage.outputTokens
+      values.usageModel = updates.usage.model
+    }
+
+    await this.db
+      .updateTable('aiRun')
+      .set(values)
+      .where('runId', '=', runId)
+      .execute()
+  }
+
+  async getRun(runId: string): Promise<AgentRunState | null> {
+    const row = await this.db
+      .selectFrom('aiRun')
+      .selectAll()
+      .where('runId', '=', runId)
+      .executeTakeFirst()
+    return row ? this.toRunState(row) : null
+  }
+
+  async getRunsByThread(threadId: string): Promise<AgentRunState[]> {
+    const rows = await this.db
+      .selectFrom('aiRun')
+      .selectAll()
+      .where('threadId', '=', threadId)
+      .orderBy('createdAt', 'desc')
+      .execute()
+    return rows.map((r) => this.toRunState(r))
+  }
+
+  async resolveApproval(
+    toolCallId: string,
+    status: 'approved' | 'denied'
+  ): Promise<void> {
+    const rows = await this.db
+      .selectFrom('aiRun')
+      .select(['runId', 'pendingApprovals' as any])
+      .where('status', '=', 'suspended')
+      .execute()
+
+    for (const row of rows) {
+      let approvals: PendingApproval[] = []
+      if (row.pendingApprovals) {
+        try {
+          approvals = JSON.parse(row.pendingApprovals as string)
+        } catch {
+          console.warn(`Failed to parse pendingApprovals for run ${row.runId}, treating as empty`)
+        }
+      }
+      const filtered = approvals.filter((a) => a.toolCallId !== toolCallId)
+      if (filtered.length !== approvals.length) {
+        const updates: Record<string, unknown> = {
+          pendingApprovals:
+            filtered.length > 0 ? JSON.stringify(filtered) : null,
+          updatedAt: sql`CURRENT_TIMESTAMP`,
+        }
+        if (filtered.length === 0) {
+          updates.status = status
+        }
+        await this.db
+          .updateTable('aiRun')
+          .set(updates as any)
+          .where('runId', '=', row.runId)
+          .execute()
+        return
+      }
+    }
+  }
+
+  async findRunByToolCallId(
+    toolCallId: string
+  ): Promise<{ run: AgentRunState; approval: PendingApproval } | null> {
+    const rows = await this.db
+      .selectFrom('aiRun')
+      .selectAll()
+      .where('status', '=', 'suspended')
+      .execute()
+
+    for (const row of rows) {
+      let approvals: PendingApproval[] = []
+      if ((row as any).pendingApprovals) {
+        try {
+          approvals = JSON.parse((row as any).pendingApprovals)
+        } catch {
+          console.warn(`Failed to parse pendingApprovals for run ${row.runId}, treating as empty`)
+        }
+      }
+      const approval = approvals.find((a) => a.toolCallId === toolCallId)
+      if (approval) {
+        return { run: this.toRunState(row), approval }
+      }
+    }
+    return null
+  }
+
+  private toRunState(row: any): AgentRunState {
+    return {
+      runId: row.runId,
+      agentName: row.agentName,
+      threadId: row.threadId,
+      resourceId: row.resourceId,
+      status: row.status,
+      errorMessage: row.errorMessage ?? undefined,
+      suspendReason: row.suspendReason ?? undefined,
+      missingRpcs: row.missingRpcs ? JSON.parse(row.missingRpcs) : undefined,
+      pendingApprovals: row.pendingApprovals
+        ? JSON.parse(row.pendingApprovals)
+        : undefined,
+      usage: {
+        inputTokens: row.usageInputTokens ?? 0,
+        outputTokens: row.usageOutputTokens ?? 0,
+        model: row.usageModel ?? '',
+      },
+      createdAt: new Date(row.createdAt),
+      updatedAt: new Date(row.updatedAt),
+    }
+  }
+}

package/src/kysely-credential-service.ts

@@ -216,6 +216,28 @@ export class KyselyCredentialService implements CredentialService {
     return result
   }
 
+  async getUsersWithCredential(name: string): Promise<string[]> {
+    const rows = await this.db
+      .selectFrom('credentials')
+      .select('userId')
+      .where('name', '=', name)
+      .where('userId', 'is not', null)
+      .execute()
+
+    return rows.map((row) => row.userId!).filter(Boolean)
+  }
+
+  async getAllUsers(): Promise<string[]> {
+    const rows = await this.db
+      .selectFrom('credentials')
+      .select('userId')
+      .distinct()
+      .where('userId', 'is not', null)
+      .execute()
+
+    return rows.map((row) => row.userId!).filter(Boolean)
+  }
+
   async rotateKEK(): Promise<number> {
     if (!this.previousKey) {
       throw new Error('No previousKey configured — nothing to rotate from')

package/src/kysely-deployment-service.ts

@@ -1,9 +1,10 @@
+import { buildRemoteHeaders } from '@pikku/core/remote'
 import type {
   DeploymentService,
   DeploymentServiceConfig,
   DeploymentConfig,
-  DeploymentInfo,
 } from '@pikku/core/services'
+import type { JWTService, SecretService } from '@pikku/core/services'
 import { getAllFunctionNames } from '@pikku/core/function'
 import type { Kysely } from 'kysely'
 import { sql } from 'kysely'
@@ -18,7 +19,9 @@ export class KyselyDeploymentService implements DeploymentService {
 
   constructor(
     config: DeploymentServiceConfig,
-    protected db: Kysely<KyselyPikkuDB>
+    protected db: Kysely<KyselyPikkuDB>,
+    private jwt?: JWTService,
+    private secrets?: SecretService
   ) {
     this.heartbeatInterval = config.heartbeatInterval ?? 10000
     this.heartbeatTtl = config.heartbeatTtl ?? 30000
@@ -135,7 +138,19 @@ export class KyselyDeploymentService implements DeploymentService {
     }
   }
 
-  async findFunction(name: string): Promise<DeploymentInfo[]> {
+  async invoke(
+    funcName: string,
+    data: unknown,
+    session?: unknown,
+    traceId?: string
+  ): Promise<unknown> {
+    const headers = await buildRemoteHeaders(
+      this.jwt,
+      this.secrets,
+      funcName,
+      session,
+      traceId
+    )
     const ttlMs = this.heartbeatTtl
     const cutoff = new Date(Date.now() - ttlMs)
 
@@ -147,15 +162,34 @@ export class KyselyDeploymentService implements DeploymentService {
         'd.deploymentId'
       )
       .select(['d.deploymentId', 'd.endpoint'])
-      .where('f.functionName', '=', name)
+      .where('f.functionName', '=', funcName)
       .where('d.lastHeartbeat', '>', cutoff)
       .orderBy('d.lastHeartbeat', 'desc')
+      .limit(1)
       .execute()
 
-    return result.map((row) => ({
-      deploymentId: row.deploymentId,
-      endpoint: row.endpoint,
-    }))
+    if (result.length === 0) {
+      throw new Error(`No deployment found for function '${funcName}'`)
+    }
+
+    const endpoint = result[0].endpoint
+    const url = `${endpoint}/remote/rpc/${encodeURIComponent(funcName)}`
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        ...headers,
+      },
+      body: JSON.stringify({ data }),
+    })
+
+    if (!response.ok) {
+      throw new Error(
+        `Remote RPC call to '${funcName}' failed: ${response.status}`
+      )
+    }
+
+    return response.json()
   }
 
   private async createIndexSafe(builder: {

package/src/kysely-services.test.ts

@@ -14,7 +14,7 @@ import { KyselyWorkflowService } from './kysely-workflow-service.js'
 import { KyselyWorkflowRunService } from './kysely-workflow-run-service.js'
 import { KyselyDeploymentService } from './kysely-deployment-service.js'
 import { KyselyAIStorageService } from './kysely-ai-storage-service.js'
-import { KyselyAgentRunService } from './kysely-agent-run-service.js'
+import { KyselyAgentRunService } from './kysely-ai-agent-run-service.js'
 import { KyselySecretService } from './kysely-secret-service.js'
 import { KyselyCredentialService } from './kysely-credential-service.js'
 

package/src/kysely-tables.ts

@@ -120,7 +120,7 @@ export interface AIRunTable {
   resourceId: string
   status: Generated<'running' | 'suspended' | 'completed' | 'failed'>
   errorMessage: string | null
-  suspendReason: 'approval' | 'rpc-missing' | null
+  suspendReason: 'approval' | 'credential' | 'rpc-missing' | null
   missingRpcs: string | null
   usageInputTokens: Generated<number>
   usageOutputTokens: Generated<number>

package/src/kysely-workflow-run-service.ts

@@ -223,7 +223,7 @@ export class KyselyWorkflowRunService implements WorkflowRunService {
     let query = this.db
       .selectFrom('workflowVersions')
       .select(['workflowName', 'graphHash', 'graph'])
-      .where('source', '=', 'ai-agent')
+      .where('source', '=', 'dynamic-workflow')
       .where('status', '=', 'active')
     if (agentName) {
       query = query.where('workflowName', 'like', `ai:${agentName}:%`)

package/src/kysely-workflow-service.ts

@@ -150,8 +150,8 @@ export class KyselyWorkflowService extends PikkuWorkflowService {
         status: 'running',
         input: JSON.stringify(input),
         inline,
-        graphHash: graphHash,
-        wire: JSON.stringify(wire),
+        graphHash: graphHash ?? null,
+        wire: wire ? JSON.stringify(wire) : null,
       })
       .execute()
 
@@ -625,9 +625,7 @@ export class KyselyWorkflowService extends PikkuWorkflowService {
         source,
         status: status ?? 'active',
       })
-      .onConflict((oc) =>
-        oc.columns(['workflowName', 'graphHash']).doNothing()
-      )
+      .onConflict((oc) => oc.columns(['workflowName', 'graphHash']).doNothing())
       .execute()
   }
 
@@ -654,7 +652,20 @@ export class KyselyWorkflowService extends PikkuWorkflowService {
   async getAIGeneratedWorkflows(
     agentName?: string
   ): Promise<Array<{ workflowName: string; graphHash: string; graph: any }>> {
-    return this.runService.getAIGeneratedWorkflows(agentName)
+    let query = this.db
+      .selectFrom('workflowVersions')
+      .select(['workflowName', 'graphHash', 'graph'])
+      .where('source', '=', 'dynamic-workflow')
+      .where('status', '=', 'active')
+    if (agentName) {
+      query = query.where('workflowName', 'like', `ai:${agentName}:%`)
+    }
+    const rows = await query.execute()
+    return rows.map((row) => ({
+      workflowName: row.workflowName,
+      graphHash: row.graphHash,
+      graph: typeof row.graph === 'string' ? JSON.parse(row.graph) : row.graph,
+    }))
   }
 
   async close(): Promise<void> {}