@secondlayer/shared 1.0.0 → 1.1.0

package/dist/src/crypto/secrets.d.ts

@@ -0,0 +1,5 @@
+declare function encryptSecret(plaintext: string): Buffer;
+declare function decryptSecret(envelope: Buffer): string;
+/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */
+declare function generateSecretsKey(): string;
+export { generateSecretsKey, encryptSecret, decryptSecret };

package/dist/src/crypto/secrets.js

@@ -0,0 +1,69 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/crypto/secrets.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
+var IV_LEN = 12;
+var TAG_LEN = 16;
+function loadKey() {
+  const hex = process.env[KEY_ENV];
+  if (!hex) {
+    throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+  }
+  const key = Buffer.from(hex, "hex");
+  if (key.length !== 32) {
+    throw new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);
+  }
+  return key;
+}
+var _cachedKey = null;
+function getKey() {
+  if (!_cachedKey)
+    _cachedKey = loadKey();
+  return _cachedKey;
+}
+function encryptSecret(plaintext) {
+  const key = getKey();
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ciphertext]);
+}
+function decryptSecret(envelope) {
+  const key = getKey();
+  const iv = envelope.subarray(0, IV_LEN);
+  const tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const ciphertext = envelope.subarray(IV_LEN + TAG_LEN);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext).toString("utf8") + decipher.final("utf8");
+}
+function generateSecretsKey() {
+  return randomBytes(32).toString("hex");
+}
+export {
+  generateSecretsKey,
+  encryptSecret,
+  decryptSecret
+};
+
+//# debugId=0FD7F496A1099A3864756E2164756E21
+//# sourceMappingURL=secrets.js.map

package/dist/src/crypto/secrets.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/secrets.ts"],
+  "sourcesContent": [
+    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\n/**\n * AES-256-GCM symmetric envelope for workflow signer secrets.\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. Callers must\n * load + cache the key once per process. Rotation strategy: when a customer\n * wants to rotate keys, re-encrypt all rows with the new key and swap the\n * env var. Not zero-downtime, but acceptable at v2 scale.\n *\n * For real KMS (AWS KMS, HashiCorp Vault, GCP KMS), wrap the same byte\n * layout behind an `EncryptSecret` / `DecryptSecret` interface in the\n * runner and swap the implementation at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction loadKey(): Buffer {\n\tconst hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tthrow new Error(\n\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t);\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAiBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,OAAO,GAAW;AAAA,EAC1B,MAAM,MAAM,QAAQ,IAAI;AAAA,EACxB,IAAI,CAAC,KAAK;AAAA,IACT,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA,EACD;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;",
+  "debugId": "0FD7F496A1099A3864756E2164756E21",
+  "names": []
+}

package/dist/src/db/index.d.ts

@@ -309,6 +309,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -370,6 +372,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Block = Selectable<BlocksTable>;
 type InsertBlock = Insertable<BlocksTable>;
@@ -422,6 +450,12 @@ type WorkflowSchedule = Selectable<WorkflowSchedulesTable>;
 type InsertWorkflowSchedule = Insertable<WorkflowSchedulesTable>;
 type UpdateWorkflowSchedule = Updateable<WorkflowSchedulesTable>;
 type WorkflowCursor = Selectable<WorkflowCursorsTable>;
+type WorkflowSignerSecret = Selectable<WorkflowSignerSecretsTable>;
+type InsertWorkflowSignerSecret = Insertable<WorkflowSignerSecretsTable>;
+type UpdateWorkflowSignerSecret = Updateable<WorkflowSignerSecretsTable>;
+type WorkflowBudget = Selectable<WorkflowBudgetsTable>;
+type InsertWorkflowBudget = Insertable<WorkflowBudgetsTable>;
+type UpdateWorkflowBudget = Updateable<WorkflowBudgetsTable>;
 type Project = Selectable<ProjectsTable>;
 type InsertProject = Insertable<ProjectsTable>;
 type UpdateProject = Updateable<ProjectsTable>;
@@ -440,4 +474,4 @@ declare function getDb(connectionString?: string): Kysely<Database>;
 declare function getRawClient(): ReturnType<typeof postgres>;
 /** Close the DB connection pool. Call in CLI commands to allow process exit. */
 declare function closeDb(): Promise<void>;
-export { sql, parseJsonb, jsonb, getRawClient, getDb, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { sql, parseJsonb, jsonb, getRawClient, getDb, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSignerSecretsTable, WorkflowSignerSecret, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WorkflowBudgetsTable, WorkflowBudget, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSignerSecret, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateWorkflowBudget, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSignerSecret, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertWorkflowBudget, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/db/queries/accounts.d.ts

@@ -296,6 +296,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -357,6 +359,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Account = Selectable<AccountsTable>;
 declare function upsertAccount(db: Kysely<Database>, email: string): Promise<Account>;

package/dist/src/db/queries/integrity.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 interface Gap {
 	gapStart: number;

package/dist/src/db/queries/marketplace.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Subgraph = Selectable<SubgraphsTable>;
 /**

package/dist/src/db/queries/projects.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Project = Selectable<ProjectsTable>;
 type TeamInvitation = Selectable<TeamInvitationsTable>;

package/dist/src/db/queries/subgraph-gaps.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 interface GapRange {
 	start: number;

package/dist/src/db/queries/subgraphs.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Subgraph = Selectable<SubgraphsTable>;
 /**

package/dist/src/db/queries/usage.d.ts

@@ -302,6 +302,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -363,6 +365,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 /** Increment API request counter for today. Fire-and-forget safe. */
 declare function incrementApiRequests(db: Kysely<Database>, accountId: string): Promise<void>;

package/dist/src/db/queries/workflows.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type WorkflowDefinition = Selectable<WorkflowDefinitionsTable>;
 type WorkflowRun = Selectable<WorkflowRunsTable>;

package/dist/src/db/schema.d.ts

@@ -294,6 +294,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -355,6 +357,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Block = Selectable<BlocksTable>;
 type InsertBlock = Insertable<BlocksTable>;
@@ -407,6 +435,12 @@ type WorkflowSchedule = Selectable<WorkflowSchedulesTable>;
 type InsertWorkflowSchedule = Insertable<WorkflowSchedulesTable>;
 type UpdateWorkflowSchedule = Updateable<WorkflowSchedulesTable>;
 type WorkflowCursor = Selectable<WorkflowCursorsTable>;
+type WorkflowSignerSecret = Selectable<WorkflowSignerSecretsTable>;
+type InsertWorkflowSignerSecret = Insertable<WorkflowSignerSecretsTable>;
+type UpdateWorkflowSignerSecret = Updateable<WorkflowSignerSecretsTable>;
+type WorkflowBudget = Selectable<WorkflowBudgetsTable>;
+type InsertWorkflowBudget = Insertable<WorkflowBudgetsTable>;
+type UpdateWorkflowBudget = Updateable<WorkflowBudgetsTable>;
 type Project = Selectable<ProjectsTable>;
 type InsertProject = Insertable<ProjectsTable>;
 type UpdateProject = Updateable<ProjectsTable>;
@@ -419,4 +453,4 @@ type InsertChatSession = Insertable<ChatSessionsTable>;
 type UpdateChatSession = Updateable<ChatSessionsTable>;
 type ChatMessage = Selectable<ChatMessagesTable>;
 type InsertChatMessage = Insertable<ChatMessagesTable>;
-export { WorkflowStepsTable, WorkflowStep, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { WorkflowStepsTable, WorkflowStep, WorkflowSignerSecretsTable, WorkflowSignerSecret, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WorkflowBudgetsTable, WorkflowBudget, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSignerSecret, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateWorkflowBudget, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSignerSecret, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertWorkflowBudget, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/index.d.ts

@@ -294,6 +294,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -355,6 +357,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 type Block = Selectable<BlocksTable>;
 type InsertBlock = Insertable<BlocksTable>;
@@ -407,6 +435,12 @@ type WorkflowSchedule = Selectable<WorkflowSchedulesTable>;
 type InsertWorkflowSchedule = Insertable<WorkflowSchedulesTable>;
 type UpdateWorkflowSchedule = Updateable<WorkflowSchedulesTable>;
 type WorkflowCursor = Selectable<WorkflowCursorsTable>;
+type WorkflowSignerSecret = Selectable<WorkflowSignerSecretsTable>;
+type InsertWorkflowSignerSecret = Insertable<WorkflowSignerSecretsTable>;
+type UpdateWorkflowSignerSecret = Updateable<WorkflowSignerSecretsTable>;
+type WorkflowBudget = Selectable<WorkflowBudgetsTable>;
+type InsertWorkflowBudget = Insertable<WorkflowBudgetsTable>;
+type UpdateWorkflowBudget = Updateable<WorkflowBudgetsTable>;
 type Project = Selectable<ProjectsTable>;
 type InsertProject = Insertable<ProjectsTable>;
 type UpdateProject = Updateable<ProjectsTable>;
@@ -819,4 +853,4 @@ declare function createSignatureHeader(payload: string, secret: string, timestam
 * Returns true if valid, false otherwise
 */
 declare function verifySignatureHeader(payload: string, header: string, secret: string, toleranceSeconds?: number): boolean;
-export { sql, parseJsonb, logger, jsonb, getRawClient, getErrorMessage, getEnv, getDb, exports_hmac as crypto, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WaitlistTable, VersionConflictError, ValidationError, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateProfileRequestSchema, UpdateProfileRequest, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphSyncInfo, SubgraphSummary, SubgraphQueryParams, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGapsResponse, SubgraphGapRange, SubgraphGapEntry, SubgraphGap, SubgraphDetail, Subgraph, StxTransferFilterSchema, StxTransferFilter, StxMintFilterSchema, StxMintFilter, StxLockFilterSchema, StxLockFilter, StxBurnFilterSchema, StxBurnFilter, SessionsTable, Session, SecondLayerError, ReindexResponse, RateLimitError, PublishSubgraphRequestSchema, PublishSubgraphRequest, ProjectsTable, Project, PrintEventFilterSchema, PrintEventFilter, NotFoundError, NftTransferFilterSchema, NftTransferFilter, NftMintFilterSchema, NftMintFilter, NftBurnFilterSchema, NftBurnFilter, MarketplaceSubgraphSummary, MarketplaceSubgraphDetail, MarketplaceCreator, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, FtTransferFilterSchema, FtTransferFilter, FtMintFilterSchema, FtMintFilter, FtBurnFilterSchema, FtBurnFilter, ForkSubgraphRequestSchema, ForkSubgraphRequest, ForbiddenError, EventsTable, EventFilterSchema, EventFilter, Event, ErrorCodes, ErrorCode, Env, DeploySubgraphResponse, DeploySubgraphRequestSchema, DeploySubgraphRequest, DatabaseError, Database, CreatorProfile, ContractDeployFilterSchema, ContractDeployFilter, ContractCallFilterSchema, ContractCallFilter, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, CODE_TO_STATUS, BlocksTable, Block, AuthorizationError, AuthenticationError, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { sql, parseJsonb, logger, jsonb, getRawClient, getErrorMessage, getEnv, getDb, exports_hmac as crypto, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSignerSecretsTable, WorkflowSignerSecret, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WorkflowBudgetsTable, WorkflowBudget, WaitlistTable, VersionConflictError, ValidationError, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSignerSecret, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateWorkflowBudget, UpdateTransaction, UpdateSubgraph, UpdateProject, UpdateProfileRequestSchema, UpdateProfileRequest, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphSyncInfo, SubgraphSummary, SubgraphQueryParams, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGapsResponse, SubgraphGapRange, SubgraphGapEntry, SubgraphGap, SubgraphDetail, Subgraph, StxTransferFilterSchema, StxTransferFilter, StxMintFilterSchema, StxMintFilter, StxLockFilterSchema, StxLockFilter, StxBurnFilterSchema, StxBurnFilter, SessionsTable, Session, SecondLayerError, ReindexResponse, RateLimitError, PublishSubgraphRequestSchema, PublishSubgraphRequest, ProjectsTable, Project, PrintEventFilterSchema, PrintEventFilter, NotFoundError, NftTransferFilterSchema, NftTransferFilter, NftMintFilterSchema, NftMintFilter, NftBurnFilterSchema, NftBurnFilter, MarketplaceSubgraphSummary, MarketplaceSubgraphDetail, MarketplaceCreator, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSignerSecret, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertWorkflowBudget, InsertTransaction, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, FtTransferFilterSchema, FtTransferFilter, FtMintFilterSchema, FtMintFilter, FtBurnFilterSchema, FtBurnFilter, ForkSubgraphRequestSchema, ForkSubgraphRequest, ForbiddenError, EventsTable, EventFilterSchema, EventFilter, Event, ErrorCodes, ErrorCode, Env, DeploySubgraphResponse, DeploySubgraphRequestSchema, DeploySubgraphRequest, DatabaseError, Database, CreatorProfile, ContractDeployFilterSchema, ContractDeployFilter, ContractCallFilterSchema, ContractCallFilter, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, CODE_TO_STATUS, BlocksTable, Block, AuthorizationError, AuthenticationError, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/node/local-client.d.ts

@@ -295,6 +295,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +358,32 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 /** Matches the NewBlockPayload shape expected by the indexer's /new_block endpoint */
 interface ReplayBlockPayload {

package/dist/src/pricing.d.ts

@@ -0,0 +1,28 @@
+/**
+* Token → USD pricing constants for internal observability.
+*
+* **Not customer billing.** Tier pricing covers compute; these constants
+* let the dashboard display "~$X spent in AI today" and let us track
+* gross-margin internally. Update manually when providers change prices
+* (roughly twice per year).
+*
+* Source: public provider pricing pages as of 2026-04-17.
+*/
+interface ModelPricing {
+	/** USD per 1M input tokens */
+	inputPerMTokens: number;
+	/** USD per 1M output tokens */
+	outputPerMTokens: number;
+}
+declare const MODEL_PRICING: Record<string, Record<string, ModelPricing>>;
+interface TokenUsage {
+	inputTokens: number;
+	outputTokens: number;
+}
+/**
+* Compute approximate USD cost for an AI step. Returns `null` if the
+* (provider, model) pair isn't in the pricing table — the caller should
+* display "-" rather than "$0".
+*/
+declare function computeUsdCost(provider: string, modelId: string, usage: TokenUsage): number | null;
+export { computeUsdCost, TokenUsage, ModelPricing, MODEL_PRICING };

package/dist/src/pricing.js

@@ -0,0 +1,47 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/pricing.ts
+var MODEL_PRICING = {
+  anthropic: {
+    "claude-haiku-4-5": { inputPerMTokens: 1, outputPerMTokens: 5 },
+    "claude-haiku-4-5-20251001": { inputPerMTokens: 1, outputPerMTokens: 5 },
+    "claude-sonnet-4-6": { inputPerMTokens: 3, outputPerMTokens: 15 },
+    "claude-opus-4-7": { inputPerMTokens: 15, outputPerMTokens: 75 }
+  },
+  openai: {
+    "gpt-4.1": { inputPerMTokens: 2.5, outputPerMTokens: 10 },
+    "gpt-4o": { inputPerMTokens: 2.5, outputPerMTokens: 10 },
+    "gpt-4o-mini": { inputPerMTokens: 0.15, outputPerMTokens: 0.6 }
+  },
+  google: {
+    "gemini-2.5-pro": { inputPerMTokens: 1.25, outputPerMTokens: 10 },
+    "gemini-2.5-flash": { inputPerMTokens: 0.3, outputPerMTokens: 2.5 }
+  }
+};
+function computeUsdCost(provider, modelId, usage) {
+  const p = MODEL_PRICING[provider]?.[modelId];
+  if (!p)
+    return null;
+  return usage.inputTokens * p.inputPerMTokens / 1e6 + usage.outputTokens * p.outputPerMTokens / 1e6;
+}
+export {
+  computeUsdCost,
+  MODEL_PRICING
+};
+
+//# debugId=4DD95AFC388E4B9664756E2164756E21
+//# sourceMappingURL=pricing.js.map

package/dist/src/pricing.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/pricing.ts"],
+  "sourcesContent": [
+    "/**\n * Token → USD pricing constants for internal observability.\n *\n * **Not customer billing.** Tier pricing covers compute; these constants\n * let the dashboard display \"~$X spent in AI today\" and let us track\n * gross-margin internally. Update manually when providers change prices\n * (roughly twice per year).\n *\n * Source: public provider pricing pages as of 2026-04-17.\n */\n\nexport interface ModelPricing {\n\t/** USD per 1M input tokens */\n\tinputPerMTokens: number;\n\t/** USD per 1M output tokens */\n\toutputPerMTokens: number;\n}\n\nexport const MODEL_PRICING: Record<string, Record<string, ModelPricing>> = {\n\tanthropic: {\n\t\t\"claude-haiku-4-5\": { inputPerMTokens: 1, outputPerMTokens: 5 },\n\t\t\"claude-haiku-4-5-20251001\": { inputPerMTokens: 1, outputPerMTokens: 5 },\n\t\t\"claude-sonnet-4-6\": { inputPerMTokens: 3, outputPerMTokens: 15 },\n\t\t\"claude-opus-4-7\": { inputPerMTokens: 15, outputPerMTokens: 75 },\n\t},\n\topenai: {\n\t\t\"gpt-4.1\": { inputPerMTokens: 2.5, outputPerMTokens: 10 },\n\t\t\"gpt-4o\": { inputPerMTokens: 2.5, outputPerMTokens: 10 },\n\t\t\"gpt-4o-mini\": { inputPerMTokens: 0.15, outputPerMTokens: 0.6 },\n\t},\n\tgoogle: {\n\t\t\"gemini-2.5-pro\": { inputPerMTokens: 1.25, outputPerMTokens: 10 },\n\t\t\"gemini-2.5-flash\": { inputPerMTokens: 0.3, outputPerMTokens: 2.5 },\n\t},\n};\n\nexport interface TokenUsage {\n\tinputTokens: number;\n\toutputTokens: number;\n}\n\n/**\n * Compute approximate USD cost for an AI step. Returns `null` if the\n * (provider, model) pair isn't in the pricing table — the caller should\n * display \"-\" rather than \"$0\".\n */\nexport function computeUsdCost(\n\tprovider: string,\n\tmodelId: string,\n\tusage: TokenUsage,\n): number | null {\n\tconst p = MODEL_PRICING[provider]?.[modelId];\n\tif (!p) return null;\n\treturn (\n\t\t(usage.inputTokens * p.inputPerMTokens) / 1_000_000 +\n\t\t(usage.outputTokens * p.outputPerMTokens) / 1_000_000\n\t);\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAkBO,IAAM,gBAA8D;AAAA,EAC1E,WAAW;AAAA,IACV,oBAAoB,EAAE,iBAAiB,GAAG,kBAAkB,EAAE;AAAA,IAC9D,6BAA6B,EAAE,iBAAiB,GAAG,kBAAkB,EAAE;AAAA,IACvE,qBAAqB,EAAE,iBAAiB,GAAG,kBAAkB,GAAG;AAAA,IAChE,mBAAmB,EAAE,iBAAiB,IAAI,kBAAkB,GAAG;AAAA,EAChE;AAAA,EACA,QAAQ;AAAA,IACP,WAAW,EAAE,iBAAiB,KAAK,kBAAkB,GAAG;AAAA,IACxD,UAAU,EAAE,iBAAiB,KAAK,kBAAkB,GAAG;AAAA,IACvD,eAAe,EAAE,iBAAiB,MAAM,kBAAkB,IAAI;AAAA,EAC/D;AAAA,EACA,QAAQ;AAAA,IACP,kBAAkB,EAAE,iBAAiB,MAAM,kBAAkB,GAAG;AAAA,IAChE,oBAAoB,EAAE,iBAAiB,KAAK,kBAAkB,IAAI;AAAA,EACnE;AACD;AAYO,SAAS,cAAc,CAC7B,UACA,SACA,OACgB;AAAA,EAChB,MAAM,IAAI,cAAc,YAAY;AAAA,EACpC,IAAI,CAAC;AAAA,IAAG,OAAO;AAAA,EACf,OACE,MAAM,cAAc,EAAE,kBAAmB,MACzC,MAAM,eAAe,EAAE,mBAAoB;AAAA;",
+  "debugId": "4DD95AFC388E4B9664756E2164756E21",
+  "names": []
+}

package/migrations/0033_workflow_steps_memo_key.ts

@@ -0,0 +1,54 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * v2 step memoization:
+ *
+ * 1. `memo_key` — SHA-256 of `(stepId, canonicalJSON(stableInputs))`. Replaces
+ *    the v1 `(run_id, step_id)` lookup so that editing a prompt in source
+ *    invalidates the cache on the next run. Partial UNIQUE allows legacy
+ *    pre-v2 rows with NULL memo_key to coexist.
+ *
+ * 2. `parent_step_id` — nullable self-FK for sub-step rows. AI tool calls
+ *    inside `generateText`/`generateObject` persist as children of the
+ *    parent AI step; on retry, previously successful tool calls return
+ *    cached results instead of re-invoking `execute`.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await db.schema
+		.alterTable("workflow_steps")
+		.addColumn("memo_key", "text")
+		.addColumn("parent_step_id", "uuid", (c) =>
+			c.references("workflow_steps.id").onDelete("cascade"),
+		)
+		.execute();
+
+	// Drop v1 composite UNIQUE. Replaced by memo_key-based UNIQUE below.
+	await sql`DROP INDEX IF EXISTS workflow_steps_dedup_idx`.execute(db);
+
+	// Partial UNIQUE: only constrain rows with memo_key set (v2 rows).
+	// Legacy NULL memo_key rows coexist without constraint violations.
+	await sql`CREATE UNIQUE INDEX workflow_steps_memo_idx ON workflow_steps (run_id, memo_key) WHERE memo_key IS NOT NULL`.execute(
+		db,
+	);
+
+	// Fan-out lookup for sub-step tool-call replay.
+	await sql`CREATE INDEX workflow_steps_parent_idx ON workflow_steps (parent_step_id) WHERE parent_step_id IS NOT NULL`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS workflow_steps_parent_idx`.execute(db);
+	await sql`DROP INDEX IF EXISTS workflow_steps_memo_idx`.execute(db);
+
+	// Restore v1 composite UNIQUE.
+	await sql`CREATE UNIQUE INDEX workflow_steps_dedup_idx ON workflow_steps (run_id, step_id)`.execute(
+		db,
+	);
+
+	await db.schema
+		.alterTable("workflow_steps")
+		.dropColumn("parent_step_id")
+		.dropColumn("memo_key")
+		.execute();
+}

package/migrations/0034_workflow_signer_secrets.ts

@@ -0,0 +1,42 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Workflow signer secrets — HMAC shared secrets used by the runner to
+ * authenticate requests to customer-hosted remote signer endpoints.
+ *
+ * Stored per-account, keyed by a user-chosen name referenced via
+ * `signer.remote({ hmacRef: "<name>" })` in workflow source. The
+ * `encrypted_value` column holds the secret encrypted at rest (runner
+ * KMS-decrypts on read). This separation lets customers rotate secrets
+ * without redeploying every workflow that references them.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await db.schema
+		.createTable("workflow_signer_secrets")
+		.addColumn("id", "uuid", (c) =>
+			c.primaryKey().defaultTo(sql`gen_random_uuid()`),
+		)
+		.addColumn("account_id", "uuid", (c) =>
+			c.notNull().references("accounts.id").onDelete("cascade"),
+		)
+		.addColumn("name", "text", (c) => c.notNull())
+		.addColumn("encrypted_value", "bytea", (c) => c.notNull())
+		.addColumn("created_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.addColumn("updated_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.execute();
+
+	await sql`CREATE UNIQUE INDEX workflow_signer_secrets_account_name_idx ON workflow_signer_secrets (account_id, name)`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS workflow_signer_secrets_account_name_idx`.execute(
+		db,
+	);
+	await db.schema.dropTable("workflow_signer_secrets").execute();
+}

package/migrations/0035_workflow_budgets.ts

@@ -0,0 +1,53 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Workflow budget counters — one row per `(workflow_definition_id, period)`.
+ * The runner increments these in `budget/enforcer.ts` after each AI/chain/
+ * run event and refuses further work when any configured cap is reached.
+ *
+ * `period` is a string key derived from the `WorkflowDefinition.budget.reset`
+ * setting and the current wall-clock: `"daily:2026-04-17"`,
+ * `"weekly:2026-W16"`, or `"per-run:<runId>"`. Old periods are retained for
+ * historical observability (budget burn-down view); a weekly TTL cron
+ * prunes them past 30 days of history.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await db.schema
+		.createTable("workflow_budgets")
+		.addColumn("id", "uuid", (c) =>
+			c.primaryKey().defaultTo(sql`gen_random_uuid()`),
+		)
+		.addColumn("workflow_definition_id", "uuid", (c) =>
+			c.notNull().references("workflow_definitions.id").onDelete("cascade"),
+		)
+		.addColumn("period", "text", (c) => c.notNull())
+		.addColumn("ai_usd_used", "numeric(12, 4)", (c) => c.notNull().defaultTo(0))
+		.addColumn("ai_tokens_used", "bigint", (c) => c.notNull().defaultTo(0))
+		.addColumn("chain_microstx_used", "numeric(30, 0)", (c) =>
+			c.notNull().defaultTo(0),
+		)
+		.addColumn("chain_tx_count", "integer", (c) => c.notNull().defaultTo(0))
+		.addColumn("run_count", "integer", (c) => c.notNull().defaultTo(0))
+		.addColumn("step_count", "integer", (c) => c.notNull().defaultTo(0))
+		.addColumn("reset_at", "timestamptz", (c) => c.notNull())
+		.addColumn("created_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.addColumn("updated_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.execute();
+
+	await sql`CREATE UNIQUE INDEX workflow_budgets_def_period_idx ON workflow_budgets (workflow_definition_id, period)`.execute(
+		db,
+	);
+	await sql`CREATE INDEX workflow_budgets_reset_at_idx ON workflow_budgets (reset_at)`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS workflow_budgets_reset_at_idx`.execute(db);
+	await sql`DROP INDEX IF EXISTS workflow_budgets_def_period_idx`.execute(db);
+	await db.schema.dropTable("workflow_budgets").execute();
+}

package/migrations/0036_tx_confirmed_notify.ts

@@ -0,0 +1,36 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * pg_notify trigger on the core `transactions` table. Fires on INSERT and
+ * publishes the txid on the `tx:confirmed` channel. The workflow runner's
+ * `confirmation/subgraph.ts` listens on this channel to resolve pending
+ * `broadcast({ awaitConfirmation: true })` promises.
+ *
+ * Payload is just the tx_id — listeners dedupe + look up details
+ * themselves. Keeping the payload small keeps pg_notify throughput high.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`
+    CREATE OR REPLACE FUNCTION notify_tx_confirmed() RETURNS trigger AS $$
+    BEGIN
+      PERFORM pg_notify('tx:confirmed', NEW.tx_id);
+      RETURN NEW;
+    END;
+    $$ LANGUAGE plpgsql;
+  `.execute(db);
+
+	await sql`
+    DROP TRIGGER IF EXISTS tx_confirmed_notify ON transactions;
+    CREATE TRIGGER tx_confirmed_notify
+    AFTER INSERT ON transactions
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_tx_confirmed();
+  `.execute(db);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP TRIGGER IF EXISTS tx_confirmed_notify ON transactions`.execute(
+		db,
+	);
+	await sql`DROP FUNCTION IF EXISTS notify_tx_confirmed()`.execute(db);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@secondlayer/shared",
-	"version": "1.0.0",
+	"version": "1.1.0",
 	"type": "module",
 	"main": "./dist/src/index.js",
 	"types": "./dist/src/index.d.ts",
@@ -101,6 +101,10 @@
 			"types": "./dist/src/constants.d.ts",
 			"import": "./dist/src/constants.js"
 		},
+		"./pricing": {
+			"types": "./dist/src/pricing.d.ts",
+			"import": "./dist/src/pricing.js"
+		},
 		"./crypto": {
 			"types": "./dist/src/crypto/hmac.d.ts",
 			"import": "./dist/src/crypto/hmac.js"
@@ -109,6 +113,10 @@
 			"types": "./dist/src/crypto/hmac.d.ts",
 			"import": "./dist/src/crypto/hmac.js"
 		},
+		"./crypto/secrets": {
+			"types": "./dist/src/crypto/secrets.d.ts",
+			"import": "./dist/src/crypto/secrets.js"
+		},
 		"./node": {
 			"types": "./dist/src/node/client.d.ts",
 			"import": "./dist/src/node/client.js"
@@ -148,7 +156,7 @@
 		"prepublishOnly": "bun run build"
 	},
 	"dependencies": {
-		"@secondlayer/stacks": "^0.2.2",
+		"@secondlayer/stacks": "^0.3.0",
 		"kysely": "0.28.15",
 		"kysely-postgres-js": "3.0.0",
 		"postgres": "^3.4.6",