@secondlayer/shared 0.12.3 → 1.1.0

package/README.md

@@ -1,6 +1,6 @@
 # @secondlayer/shared
 
-Foundational utilities for Second Layer services: DB layer (Kysely+Postgres), job queue, Zod schemas, HMAC signing, Stacks node clients.
+Foundational utilities for Second Layer services: DB layer (Kysely+Postgres), Zod schemas, HMAC signing, Stacks node clients.
 
 ## Testing
 
@@ -9,7 +9,7 @@ Foundational utilities for Second Layer services: DB layer (Kysely+Postgres), jo
 bun test
 
 # Run with database
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/streams_test bun test
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/secondlayer_test bun test
 ```
 
 ## Migrations
@@ -24,16 +24,14 @@ DATABASE_URL=... bun run migrate
 |------|-------------|
 | `@secondlayer/shared` | Core utilities |
 | `@secondlayer/shared/db` | Kysely database layer |
-| `@secondlayer/shared/db/queries/*` | Query helpers (integrity, metrics, accounts, usage, subgraphs) |
+| `@secondlayer/shared/db/queries/*` | Query helpers (integrity, accounts, usage, subgraphs, marketplace, projects, subgraph-gaps, workflows) |
 | `@secondlayer/shared/db/schema` | Database schema |
 | `@secondlayer/shared/db/jsonb` | JSONB helpers |
 | `@secondlayer/shared/schemas` | Zod schemas |
-| `@secondlayer/shared/schemas/filters` | Stream filter schemas |
+| `@secondlayer/shared/schemas/filters` | Event filter schemas |
 | `@secondlayer/shared/schemas/subgraphs` | Subgraph schemas |
 | `@secondlayer/shared/types` | Shared TypeScript types |
-| `@secondlayer/shared/queue` | Job queue |
-| `@secondlayer/shared/queue/listener` | Queue listener |
-| `@secondlayer/shared/queue/recovery` | Queue recovery |
+| `@secondlayer/shared/queue/listener` | Postgres LISTEN/NOTIFY helper (used for block notifications) |
 | `@secondlayer/shared/env` | Environment config |
 | `@secondlayer/shared/logger` | Logger |
 | `@secondlayer/shared/errors` | Error types |

package/dist/src/constants.d.ts

@@ -1,2 +1,2 @@
-declare const ADMIN_EMAILS: unknown;
+declare const ADMIN_EMAILS: string[];
 export { ADMIN_EMAILS };

package/dist/src/constants.js.map

@@ -2,9 +2,9 @@
   "version": 3,
   "sources": ["../src/constants.ts"],
   "sourcesContent": [
-    "export const ADMIN_EMAILS = [\"ryan.waits@gmail.com\"];\n"
+    "export const ADMIN_EMAILS: string[] = [\"ryan.waits@gmail.com\"];\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAO,IAAM,eAAe,CAAC,sBAAsB;",
+  "mappings": ";;;;;;;;;;;;;;;;;AAAO,IAAM,eAAyB,CAAC,sBAAsB;",
   "debugId": "171573A31D5D2E7964756E2164756E21",
   "names": []
 }

package/dist/src/crypto/secrets.d.ts

@@ -0,0 +1,5 @@
+declare function encryptSecret(plaintext: string): Buffer;
+declare function decryptSecret(envelope: Buffer): string;
+/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */
+declare function generateSecretsKey(): string;
+export { generateSecretsKey, encryptSecret, decryptSecret };

package/dist/src/crypto/secrets.js

@@ -0,0 +1,69 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/crypto/secrets.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
+var IV_LEN = 12;
+var TAG_LEN = 16;
+function loadKey() {
+  const hex = process.env[KEY_ENV];
+  if (!hex) {
+    throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+  }
+  const key = Buffer.from(hex, "hex");
+  if (key.length !== 32) {
+    throw new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);
+  }
+  return key;
+}
+var _cachedKey = null;
+function getKey() {
+  if (!_cachedKey)
+    _cachedKey = loadKey();
+  return _cachedKey;
+}
+function encryptSecret(plaintext) {
+  const key = getKey();
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ciphertext]);
+}
+function decryptSecret(envelope) {
+  const key = getKey();
+  const iv = envelope.subarray(0, IV_LEN);
+  const tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const ciphertext = envelope.subarray(IV_LEN + TAG_LEN);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext).toString("utf8") + decipher.final("utf8");
+}
+function generateSecretsKey() {
+  return randomBytes(32).toString("hex");
+}
+export {
+  generateSecretsKey,
+  encryptSecret,
+  decryptSecret
+};
+
+//# debugId=0FD7F496A1099A3864756E2164756E21
+//# sourceMappingURL=secrets.js.map

package/dist/src/crypto/secrets.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/secrets.ts"],
+  "sourcesContent": [
+    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\n/**\n * AES-256-GCM symmetric envelope for workflow signer secrets.\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. Callers must\n * load + cache the key once per process. Rotation strategy: when a customer\n * wants to rotate keys, re-encrypt all rows with the new key and swap the\n * env var. Not zero-downtime, but acceptable at v2 scale.\n *\n * For real KMS (AWS KMS, HashiCorp Vault, GCP KMS), wrap the same byte\n * layout behind an `EncryptSecret` / `DecryptSecret` interface in the\n * runner and swap the implementation at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction loadKey(): Buffer {\n\tconst hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tthrow new Error(\n\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t);\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAiBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,OAAO,GAAW;AAAA,EAC1B,MAAM,MAAM,QAAQ,IAAI;AAAA,EACxB,IAAI,CAAC,KAAK;AAAA,IACT,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA,EACD;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;",
+  "debugId": "0FD7F496A1099A3864756E2164756E21",
+  "names": []
+}

package/dist/src/db/index.d.ts

@@ -46,40 +46,6 @@ interface EventsTable {
 	data: unknown;
 	created_at: Generated<Date>;
 }
-interface StreamsTable {
-	id: Generated<string>;
-	name: string;
-	status: Generated<string>;
-	filters: unknown;
-	options: Generated<unknown>;
-	endpoint_url: string;
-	signing_secret: string | null;
-	api_key_id: string;
-	project_id: string | null;
-	created_at: Generated<Date>;
-	updated_at: Generated<Date>;
-}
-interface StreamMetricsTable {
-	stream_id: string;
-	last_triggered_at: Date | null;
-	last_triggered_block: number | null;
-	total_deliveries: Generated<number>;
-	failed_deliveries: Generated<number>;
-	error_message: string | null;
-}
-interface JobsTable {
-	id: Generated<string>;
-	stream_id: string;
-	block_height: number;
-	status: Generated<string>;
-	attempts: Generated<number>;
-	locked_at: Date | null;
-	locked_by: string | null;
-	error: string | null;
-	backfill: Generated<boolean>;
-	created_at: Generated<Date>;
-	completed_at: Date | null;
-}
 interface IndexProgressTable {
 	network: string;
 	last_indexed_block: Generated<number>;
@@ -87,19 +53,6 @@ interface IndexProgressTable {
 	highest_seen_block: Generated<number>;
 	updated_at: Generated<Date>;
 }
-interface DeliveriesTable {
-	id: Generated<string>;
-	stream_id: string;
-	job_id: string | null;
-	block_height: number;
-	status: string;
-	status_code: number | null;
-	response_time_ms: number | null;
-	attempts: Generated<number>;
-	error: string | null;
-	payload: unknown;
-	created_at: Generated<Date>;
-}
 interface SubgraphsTable {
 	id: Generated<string>;
 	name: string;
@@ -120,6 +73,7 @@ interface SubgraphsTable {
 	api_key_id: string | null;
 	account_id: string;
 	handler_code: string | null;
+	source_code: string | null;
 	project_id: string | null;
 	is_public: Generated<boolean>;
 	tags: Generated<string[]>;
@@ -318,6 +272,7 @@ interface WorkflowDefinitionsTable {
 	trigger_type: string;
 	trigger_config: unknown;
 	handler_path: string;
+	source_code: string | null;
 	retries_config: unknown | null;
 	timeout_ms: number | null;
 	api_key_id: string;
@@ -354,6 +309,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -388,11 +345,7 @@ interface Database {
 	blocks: BlocksTable;
 	transactions: TransactionsTable;
 	events: EventsTable;
-	streams: StreamsTable;
-	stream_metrics: StreamMetricsTable;
-	jobs: JobsTable;
 	index_progress: IndexProgressTable;
-	deliveries: DeliveriesTable;
 	subgraphs: SubgraphsTable;
 	api_keys: ApiKeysTable;
 	accounts: AccountsTable;
@@ -419,6 +372,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Block = Selectable<BlocksTable>;
 type InsertBlock = Insertable<BlocksTable>;
@@ -429,21 +408,9 @@ type UpdateTransaction = Updateable<TransactionsTable>;
 type Event = Selectable<EventsTable>;
 type InsertEvent = Insertable<EventsTable>;
 type UpdateEvent = Updateable<EventsTable>;
-type Stream = Selectable<StreamsTable>;
-type InsertStream = Insertable<StreamsTable>;
-type UpdateStreamRow = Updateable<StreamsTable>;
-type StreamMetrics = Selectable<StreamMetricsTable>;
-type InsertStreamMetrics = Insertable<StreamMetricsTable>;
-type UpdateStreamMetrics = Updateable<StreamMetricsTable>;
-type Job = Selectable<JobsTable>;
-type InsertJob = Insertable<JobsTable>;
-type UpdateJob = Updateable<JobsTable>;
 type IndexProgress = Selectable<IndexProgressTable>;
 type InsertIndexProgress = Insertable<IndexProgressTable>;
 type UpdateIndexProgress = Updateable<IndexProgressTable>;
-type Delivery = Selectable<DeliveriesTable>;
-type InsertDelivery = Insertable<DeliveriesTable>;
-type UpdateDelivery = Updateable<DeliveriesTable>;
 type Subgraph = Selectable<SubgraphsTable>;
 type InsertSubgraph = Insertable<SubgraphsTable>;
 type UpdateSubgraph = Updateable<SubgraphsTable>;
@@ -483,6 +450,12 @@ type WorkflowSchedule = Selectable<WorkflowSchedulesTable>;
 type InsertWorkflowSchedule = Insertable<WorkflowSchedulesTable>;
 type UpdateWorkflowSchedule = Updateable<WorkflowSchedulesTable>;
 type WorkflowCursor = Selectable<WorkflowCursorsTable>;
+type WorkflowSignerSecret = Selectable<WorkflowSignerSecretsTable>;
+type InsertWorkflowSignerSecret = Insertable<WorkflowSignerSecretsTable>;
+type UpdateWorkflowSignerSecret = Updateable<WorkflowSignerSecretsTable>;
+type WorkflowBudget = Selectable<WorkflowBudgetsTable>;
+type InsertWorkflowBudget = Insertable<WorkflowBudgetsTable>;
+type UpdateWorkflowBudget = Updateable<WorkflowBudgetsTable>;
 type Project = Selectable<ProjectsTable>;
 type InsertProject = Insertable<ProjectsTable>;
 type UpdateProject = Updateable<ProjectsTable>;
@@ -501,4 +474,4 @@ declare function getDb(connectionString?: string): Kysely<Database>;
 declare function getRawClient(): ReturnType<typeof postgres>;
 /** Close the DB connection pool. Call in CLI commands to allow process exit. */
 declare function closeDb(): Promise<void>;
-export { sql, parseJsonb, jsonb, getRawClient, getDb, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateTransaction, UpdateSubgraph, UpdateStreamRow, UpdateStreamMetrics, UpdateProject, UpdateJob, UpdateIndexProgress, UpdateEvent, UpdateDelivery, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, StreamsTable, StreamMetricsTable, StreamMetrics, Stream, SessionsTable, Session, ProjectsTable, Project, MagicLinksTable, MagicLink, JobsTable, Job, InsertWorkflowStep, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertStreamMetrics, InsertStream, InsertSession, InsertProject, InsertMagicLink, InsertJob, InsertIndexProgress, InsertEvent, InsertDelivery, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Delivery, DeliveriesTable, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { sql, parseJsonb, jsonb, getRawClient, getDb, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSignerSecretsTable, WorkflowSignerSecret, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WorkflowBudgetsTable, WorkflowBudget, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSignerSecret, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateWorkflowBudget, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSignerSecret, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertWorkflowBudget, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/db/index.js

@@ -40,7 +40,7 @@ var db = null;
 var rawClient = null;
 function getDb(connectionString) {
   if (!db) {
-    const url = connectionString || process.env.DATABASE_URL || "postgres://postgres:postgres@localhost:5432/streams_dev";
+    const url = connectionString || process.env.DATABASE_URL || "postgres://postgres:postgres@localhost:5432/secondlayer_dev";
     const isLocal = url.includes("localhost") || url.includes("127.0.0.1") || url.includes("@postgres:");
     const poolMax = Number.parseInt(process.env.DATABASE_POOL_MAX ?? "20", 10);
     rawClient = postgres(url, {
@@ -79,5 +79,5 @@ export {
   closeDb
 };
 
-//# debugId=FB849504D2C96D2864756E2164756E21
+//# debugId=E1023FA2C43975A264756E2164756E21
 //# sourceMappingURL=index.js.map

package/dist/src/db/index.js.map

@@ -3,9 +3,9 @@
   "sources": ["../src/db/jsonb.ts", "../src/db/index.ts"],
   "sourcesContent": [
     "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n */\nexport function jsonb(value: unknown): RawBuilder<unknown> {\n\tconst escaped = JSON.stringify(value, (_k, v) => (typeof v === \"bigint\" ? v.toString() : v)).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n",
-    "import { Kysely } from \"kysely\";\nimport { PostgresJSDialect } from \"kysely-postgres-js\";\nimport postgres from \"postgres\";\nimport type { Database } from \"./types.ts\";\n\nlet db: Kysely<Database> | null = null;\nlet rawClient: ReturnType<typeof postgres> | null = null;\n\nexport function getDb(connectionString?: string): Kysely<Database> {\n\tif (!db) {\n\t\tconst url =\n\t\t\tconnectionString ||\n\t\t\tprocess.env.DATABASE_URL ||\n\t\t\t\"postgres://postgres:postgres@localhost:5432/streams_dev\";\n\n\t\t// Always use SSL for remote databases, just disable cert verification if needed\n\t\tconst isLocal =\n\t\t\turl.includes(\"localhost\") ||\n\t\t\turl.includes(\"127.0.0.1\") ||\n\t\t\turl.includes(\"@postgres:\");\n\t\tconst poolMax = Number.parseInt(process.env.DATABASE_POOL_MAX ?? \"20\", 10);\n\t\trawClient = postgres(url, {\n\t\t\tmax: poolMax,\n\t\t\tssl: isLocal\n\t\t\t\t? undefined\n\t\t\t\t: {\n\t\t\t\t\t\trejectUnauthorized:\n\t\t\t\t\t\t\tprocess.env.NODE_TLS_REJECT_UNAUTHORIZED !== \"0\",\n\t\t\t\t\t},\n\t\t});\n\t\tdb = new Kysely<Database>({\n\t\t\tdialect: new PostgresJSDialect({ postgres: rawClient }),\n\t\t});\n\t}\n\treturn db;\n}\n\n/** Raw postgres.js client for dynamic schema DDL (CREATE SCHEMA, DROP, etc.) */\nexport function getRawClient(): ReturnType<typeof postgres> {\n\tif (!rawClient) getDb();\n\treturn rawClient!;\n}\n\n/** Close the DB connection pool. Call in CLI commands to allow process exit. */\nexport async function closeDb(): Promise<void> {\n\tif (db) {\n\t\tawait db.destroy();\n\t\tdb = null;\n\t}\n\tif (rawClient) {\n\t\tawait rawClient.end();\n\t\trawClient = null;\n\t}\n}\n\nimport { sql } from \"kysely\";\nexport { sql };\nexport * from \"./types.ts\";\nexport { jsonb, parseJsonb } from \"./jsonb.ts\";\n"
+    "import { Kysely } from \"kysely\";\nimport { PostgresJSDialect } from \"kysely-postgres-js\";\nimport postgres from \"postgres\";\nimport type { Database } from \"./types.ts\";\n\nlet db: Kysely<Database> | null = null;\nlet rawClient: ReturnType<typeof postgres> | null = null;\n\nexport function getDb(connectionString?: string): Kysely<Database> {\n\tif (!db) {\n\t\tconst url =\n\t\t\tconnectionString ||\n\t\t\tprocess.env.DATABASE_URL ||\n\t\t\t\"postgres://postgres:postgres@localhost:5432/secondlayer_dev\";\n\n\t\t// Always use SSL for remote databases, just disable cert verification if needed\n\t\tconst isLocal =\n\t\t\turl.includes(\"localhost\") ||\n\t\t\turl.includes(\"127.0.0.1\") ||\n\t\t\turl.includes(\"@postgres:\");\n\t\tconst poolMax = Number.parseInt(process.env.DATABASE_POOL_MAX ?? \"20\", 10);\n\t\trawClient = postgres(url, {\n\t\t\tmax: poolMax,\n\t\t\tssl: isLocal\n\t\t\t\t? undefined\n\t\t\t\t: {\n\t\t\t\t\t\trejectUnauthorized:\n\t\t\t\t\t\t\tprocess.env.NODE_TLS_REJECT_UNAUTHORIZED !== \"0\",\n\t\t\t\t\t},\n\t\t});\n\t\tdb = new Kysely<Database>({\n\t\t\tdialect: new PostgresJSDialect({ postgres: rawClient }),\n\t\t});\n\t}\n\treturn db;\n}\n\n/** Raw postgres.js client for dynamic schema DDL (CREATE SCHEMA, DROP, etc.) */\nexport function getRawClient(): ReturnType<typeof postgres> {\n\tif (!rawClient) getDb();\n\treturn rawClient!;\n}\n\n/** Close the DB connection pool. Call in CLI commands to allow process exit. */\nexport async function closeDb(): Promise<void> {\n\tif (db) {\n\t\tawait db.destroy();\n\t\tdb = null;\n\t}\n\tif (rawClient) {\n\t\tawait rawClient.end();\n\t\trawClient = null;\n\t}\n}\n\nimport { sql } from \"kysely\";\nexport { sql };\nexport * from \"./types.ts\";\nexport { jsonb, parseJsonb } from \"./jsonb.ts\";\n"
   ],
   "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAOO,SAAS,KAAK,CAAC,OAAqC;AAAA,EAC1D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAAO,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CAAE,EAAE,QAAQ,MAAM,IAAI;AAAA,EAC/G,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;;;ACzBnB;AACA;AACA;AAqDA,gBAAS;AAlDT,IAAI,KAA8B;AAClC,IAAI,YAAgD;AAE7C,SAAS,KAAK,CAAC,kBAA6C;AAAA,EAClE,IAAI,CAAC,IAAI;AAAA,IACR,MAAM,MACL,oBACA,QAAQ,IAAI,gBACZ;AAAA,IAGD,MAAM,UACL,IAAI,SAAS,WAAW,KACxB,IAAI,SAAS,WAAW,KACxB,IAAI,SAAS,YAAY;AAAA,IAC1B,MAAM,UAAU,OAAO,SAAS,QAAQ,IAAI,qBAAqB,MAAM,EAAE;AAAA,IACzE,YAAY,SAAS,KAAK;AAAA,MACzB,KAAK;AAAA,MACL,KAAK,UACF,YACA;AAAA,QACA,oBACC,QAAQ,IAAI,iCAAiC;AAAA,MAC/C;AAAA,IACH,CAAC;AAAA,IACD,KAAK,IAAI,OAAiB;AAAA,MACzB,SAAS,IAAI,kBAAkB,EAAE,UAAU,UAAU,CAAC;AAAA,IACvD,CAAC;AAAA,EACF;AAAA,EACA,OAAO;AAAA;AAID,SAAS,YAAY,GAAgC;AAAA,EAC3D,IAAI,CAAC;AAAA,IAAW,MAAM;AAAA,EACtB,OAAO;AAAA;AAIR,eAAsB,OAAO,GAAkB;AAAA,EAC9C,IAAI,IAAI;AAAA,IACP,MAAM,GAAG,QAAQ;AAAA,IACjB,KAAK;AAAA,EACN;AAAA,EACA,IAAI,WAAW;AAAA,IACd,MAAM,UAAU,IAAI;AAAA,IACpB,YAAY;AAAA,EACb;AAAA;",
-  "debugId": "FB849504D2C96D2864756E2164756E21",
+  "debugId": "E1023FA2C43975A264756E2164756E21",
   "names": []
 }

package/dist/src/db/queries/accounts.d.ts

@@ -33,40 +33,6 @@ interface EventsTable {
 	data: unknown;
 	created_at: Generated<Date>;
 }
-interface StreamsTable {
-	id: Generated<string>;
-	name: string;
-	status: Generated<string>;
-	filters: unknown;
-	options: Generated<unknown>;
-	endpoint_url: string;
-	signing_secret: string | null;
-	api_key_id: string;
-	project_id: string | null;
-	created_at: Generated<Date>;
-	updated_at: Generated<Date>;
-}
-interface StreamMetricsTable {
-	stream_id: string;
-	last_triggered_at: Date | null;
-	last_triggered_block: number | null;
-	total_deliveries: Generated<number>;
-	failed_deliveries: Generated<number>;
-	error_message: string | null;
-}
-interface JobsTable {
-	id: Generated<string>;
-	stream_id: string;
-	block_height: number;
-	status: Generated<string>;
-	attempts: Generated<number>;
-	locked_at: Date | null;
-	locked_by: string | null;
-	error: string | null;
-	backfill: Generated<boolean>;
-	created_at: Generated<Date>;
-	completed_at: Date | null;
-}
 interface IndexProgressTable {
 	network: string;
 	last_indexed_block: Generated<number>;
@@ -74,19 +40,6 @@ interface IndexProgressTable {
 	highest_seen_block: Generated<number>;
 	updated_at: Generated<Date>;
 }
-interface DeliveriesTable {
-	id: Generated<string>;
-	stream_id: string;
-	job_id: string | null;
-	block_height: number;
-	status: string;
-	status_code: number | null;
-	response_time_ms: number | null;
-	attempts: Generated<number>;
-	error: string | null;
-	payload: unknown;
-	created_at: Generated<Date>;
-}
 interface SubgraphsTable {
 	id: Generated<string>;
 	name: string;
@@ -107,6 +60,7 @@ interface SubgraphsTable {
 	api_key_id: string | null;
 	account_id: string;
 	handler_code: string | null;
+	source_code: string | null;
 	project_id: string | null;
 	is_public: Generated<boolean>;
 	tags: Generated<string[]>;
@@ -305,6 +259,7 @@ interface WorkflowDefinitionsTable {
 	trigger_type: string;
 	trigger_config: unknown;
 	handler_path: string;
+	source_code: string | null;
 	retries_config: unknown | null;
 	timeout_ms: number | null;
 	api_key_id: string;
@@ -341,6 +296,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -375,11 +332,7 @@ interface Database {
 	blocks: BlocksTable;
 	transactions: TransactionsTable;
 	events: EventsTable;
-	streams: StreamsTable;
-	stream_metrics: StreamMetricsTable;
-	jobs: JobsTable;
 	index_progress: IndexProgressTable;
-	deliveries: DeliveriesTable;
 	subgraphs: SubgraphsTable;
 	api_keys: ApiKeysTable;
 	accounts: AccountsTable;
@@ -406,6 +359,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Account = Selectable<AccountsTable>;
 declare function upsertAccount(db: Kysely<Database>, email: string): Promise<Account>;

package/dist/src/db/queries/integrity.d.ts

@@ -32,40 +32,6 @@ interface EventsTable {
 	data: unknown;
 	created_at: Generated<Date>;
 }
-interface StreamsTable {
-	id: Generated<string>;
-	name: string;
-	status: Generated<string>;
-	filters: unknown;
-	options: Generated<unknown>;
-	endpoint_url: string;
-	signing_secret: string | null;
-	api_key_id: string;
-	project_id: string | null;
-	created_at: Generated<Date>;
-	updated_at: Generated<Date>;
-}
-interface StreamMetricsTable {
-	stream_id: string;
-	last_triggered_at: Date | null;
-	last_triggered_block: number | null;
-	total_deliveries: Generated<number>;
-	failed_deliveries: Generated<number>;
-	error_message: string | null;
-}
-interface JobsTable {
-	id: Generated<string>;
-	stream_id: string;
-	block_height: number;
-	status: Generated<string>;
-	attempts: Generated<number>;
-	locked_at: Date | null;
-	locked_by: string | null;
-	error: string | null;
-	backfill: Generated<boolean>;
-	created_at: Generated<Date>;
-	completed_at: Date | null;
-}
 interface IndexProgressTable {
 	network: string;
 	last_indexed_block: Generated<number>;
@@ -73,19 +39,6 @@ interface IndexProgressTable {
 	highest_seen_block: Generated<number>;
 	updated_at: Generated<Date>;
 }
-interface DeliveriesTable {
-	id: Generated<string>;
-	stream_id: string;
-	job_id: string | null;
-	block_height: number;
-	status: string;
-	status_code: number | null;
-	response_time_ms: number | null;
-	attempts: Generated<number>;
-	error: string | null;
-	payload: unknown;
-	created_at: Generated<Date>;
-}
 interface SubgraphsTable {
 	id: Generated<string>;
 	name: string;
@@ -106,6 +59,7 @@ interface SubgraphsTable {
 	api_key_id: string | null;
 	account_id: string;
 	handler_code: string | null;
+	source_code: string | null;
 	project_id: string | null;
 	is_public: Generated<boolean>;
 	tags: Generated<string[]>;
@@ -304,6 +258,7 @@ interface WorkflowDefinitionsTable {
 	trigger_type: string;
 	trigger_config: unknown;
 	handler_path: string;
+	source_code: string | null;
 	retries_config: unknown | null;
 	timeout_ms: number | null;
 	api_key_id: string;
@@ -340,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -374,11 +331,7 @@ interface Database {
 	blocks: BlocksTable;
 	transactions: TransactionsTable;
 	events: EventsTable;
-	streams: StreamsTable;
-	stream_metrics: StreamMetricsTable;
-	jobs: JobsTable;
 	index_progress: IndexProgressTable;
-	deliveries: DeliveriesTable;
 	subgraphs: SubgraphsTable;
 	api_keys: ApiKeysTable;
 	accounts: AccountsTable;
@@ -405,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 interface Gap {
 	gapStart: number;