@secondlayer/shared 1.0.0 → 2.0.0

package/dist/src/node/local-client.d.ts

@@ -1,5 +1,5 @@
 import { Kysely } from "kysely";
-import { Generated } from "kysely";
+import { ColumnType, Generated } from "kysely";
 interface BlocksTable {
 	height: number;
 	hash: string;
@@ -56,7 +56,6 @@ interface SubgraphsTable {
 	last_error_at: Date | null;
 	total_processed: Generated<number>;
 	total_errors: Generated<number>;
-	api_key_id: string | null;
 	account_id: string;
 	handler_code: string | null;
 	source_code: string | null;
@@ -295,6 +294,8 @@ interface WorkflowStepsTable {
 	started_at: Date | null;
 	completed_at: Date | null;
 	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
 	created_at: Generated<Date>;
 }
 interface WorkflowQueueTable {
@@ -356,6 +357,62 @@ interface Database {
 	workflow_queue: WorkflowQueueTable;
 	workflow_schedules: WorkflowSchedulesTable;
 	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+	tenants: TenantsTable;
+}
+type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
+interface TenantsTable {
+	id: Generated<string>;
+	account_id: string;
+	slug: string;
+	status: ColumnType<TenantStatus, TenantStatus | undefined, TenantStatus>;
+	plan: string;
+	cpus: ColumnType<number, number | string, number | string>;
+	memory_mb: number;
+	storage_limit_mb: number;
+	storage_used_mb: number | null;
+	pg_container_id: string | null;
+	api_container_id: string | null;
+	processor_container_id: string | null;
+	target_database_url_enc: Buffer;
+	tenant_jwt_secret_enc: Buffer;
+	anon_key_enc: Buffer;
+	service_key_enc: Buffer;
+	api_url_internal: string;
+	api_url_public: string;
+	trial_ends_at: Date;
+	suspended_at: Date | null;
+	last_health_check_at: Date | null;
+	service_gen: Generated<number>;
+	anon_gen: Generated<number>;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
 }
 /** Matches the NewBlockPayload shape expected by the indexer's /new_block endpoint */
 interface ReplayBlockPayload {

package/dist/src/pricing.d.ts

@@ -0,0 +1,28 @@
+/**
+* Token → USD pricing constants for internal observability.
+*
+* **Not customer billing.** Tier pricing covers compute; these constants
+* let the dashboard display "~$X spent in AI today" and let us track
+* gross-margin internally. Update manually when providers change prices
+* (roughly twice per year).
+*
+* Source: public provider pricing pages as of 2026-04-17.
+*/
+interface ModelPricing {
+	/** USD per 1M input tokens */
+	inputPerMTokens: number;
+	/** USD per 1M output tokens */
+	outputPerMTokens: number;
+}
+declare const MODEL_PRICING: Record<string, Record<string, ModelPricing>>;
+interface TokenUsage {
+	inputTokens: number;
+	outputTokens: number;
+}
+/**
+* Compute approximate USD cost for an AI step. Returns `null` if the
+* (provider, model) pair isn't in the pricing table — the caller should
+* display "-" rather than "$0".
+*/
+declare function computeUsdCost(provider: string, modelId: string, usage: TokenUsage): number | null;
+export { computeUsdCost, TokenUsage, ModelPricing, MODEL_PRICING };

package/dist/src/pricing.js

@@ -0,0 +1,47 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/pricing.ts
+var MODEL_PRICING = {
+  anthropic: {
+    "claude-haiku-4-5": { inputPerMTokens: 1, outputPerMTokens: 5 },
+    "claude-haiku-4-5-20251001": { inputPerMTokens: 1, outputPerMTokens: 5 },
+    "claude-sonnet-4-6": { inputPerMTokens: 3, outputPerMTokens: 15 },
+    "claude-opus-4-7": { inputPerMTokens: 15, outputPerMTokens: 75 }
+  },
+  openai: {
+    "gpt-4.1": { inputPerMTokens: 2.5, outputPerMTokens: 10 },
+    "gpt-4o": { inputPerMTokens: 2.5, outputPerMTokens: 10 },
+    "gpt-4o-mini": { inputPerMTokens: 0.15, outputPerMTokens: 0.6 }
+  },
+  google: {
+    "gemini-2.5-pro": { inputPerMTokens: 1.25, outputPerMTokens: 10 },
+    "gemini-2.5-flash": { inputPerMTokens: 0.3, outputPerMTokens: 2.5 }
+  }
+};
+function computeUsdCost(provider, modelId, usage) {
+  const p = MODEL_PRICING[provider]?.[modelId];
+  if (!p)
+    return null;
+  return usage.inputTokens * p.inputPerMTokens / 1e6 + usage.outputTokens * p.outputPerMTokens / 1e6;
+}
+export {
+  computeUsdCost,
+  MODEL_PRICING
+};
+
+//# debugId=4DD95AFC388E4B9664756E2164756E21
+//# sourceMappingURL=pricing.js.map

package/dist/src/pricing.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/pricing.ts"],
+  "sourcesContent": [
+    "/**\n * Token → USD pricing constants for internal observability.\n *\n * **Not customer billing.** Tier pricing covers compute; these constants\n * let the dashboard display \"~$X spent in AI today\" and let us track\n * gross-margin internally. Update manually when providers change prices\n * (roughly twice per year).\n *\n * Source: public provider pricing pages as of 2026-04-17.\n */\n\nexport interface ModelPricing {\n\t/** USD per 1M input tokens */\n\tinputPerMTokens: number;\n\t/** USD per 1M output tokens */\n\toutputPerMTokens: number;\n}\n\nexport const MODEL_PRICING: Record<string, Record<string, ModelPricing>> = {\n\tanthropic: {\n\t\t\"claude-haiku-4-5\": { inputPerMTokens: 1, outputPerMTokens: 5 },\n\t\t\"claude-haiku-4-5-20251001\": { inputPerMTokens: 1, outputPerMTokens: 5 },\n\t\t\"claude-sonnet-4-6\": { inputPerMTokens: 3, outputPerMTokens: 15 },\n\t\t\"claude-opus-4-7\": { inputPerMTokens: 15, outputPerMTokens: 75 },\n\t},\n\topenai: {\n\t\t\"gpt-4.1\": { inputPerMTokens: 2.5, outputPerMTokens: 10 },\n\t\t\"gpt-4o\": { inputPerMTokens: 2.5, outputPerMTokens: 10 },\n\t\t\"gpt-4o-mini\": { inputPerMTokens: 0.15, outputPerMTokens: 0.6 },\n\t},\n\tgoogle: {\n\t\t\"gemini-2.5-pro\": { inputPerMTokens: 1.25, outputPerMTokens: 10 },\n\t\t\"gemini-2.5-flash\": { inputPerMTokens: 0.3, outputPerMTokens: 2.5 },\n\t},\n};\n\nexport interface TokenUsage {\n\tinputTokens: number;\n\toutputTokens: number;\n}\n\n/**\n * Compute approximate USD cost for an AI step. Returns `null` if the\n * (provider, model) pair isn't in the pricing table — the caller should\n * display \"-\" rather than \"$0\".\n */\nexport function computeUsdCost(\n\tprovider: string,\n\tmodelId: string,\n\tusage: TokenUsage,\n): number | null {\n\tconst p = MODEL_PRICING[provider]?.[modelId];\n\tif (!p) return null;\n\treturn (\n\t\t(usage.inputTokens * p.inputPerMTokens) / 1_000_000 +\n\t\t(usage.outputTokens * p.outputPerMTokens) / 1_000_000\n\t);\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAkBO,IAAM,gBAA8D;AAAA,EAC1E,WAAW;AAAA,IACV,oBAAoB,EAAE,iBAAiB,GAAG,kBAAkB,EAAE;AAAA,IAC9D,6BAA6B,EAAE,iBAAiB,GAAG,kBAAkB,EAAE;AAAA,IACvE,qBAAqB,EAAE,iBAAiB,GAAG,kBAAkB,GAAG;AAAA,IAChE,mBAAmB,EAAE,iBAAiB,IAAI,kBAAkB,GAAG;AAAA,EAChE;AAAA,EACA,QAAQ;AAAA,IACP,WAAW,EAAE,iBAAiB,KAAK,kBAAkB,GAAG;AAAA,IACxD,UAAU,EAAE,iBAAiB,KAAK,kBAAkB,GAAG;AAAA,IACvD,eAAe,EAAE,iBAAiB,MAAM,kBAAkB,IAAI;AAAA,EAC/D;AAAA,EACA,QAAQ;AAAA,IACP,kBAAkB,EAAE,iBAAiB,MAAM,kBAAkB,GAAG;AAAA,IAChE,oBAAoB,EAAE,iBAAiB,KAAK,kBAAkB,IAAI;AAAA,EACnE;AACD;AAYO,SAAS,cAAc,CAC7B,UACA,SACA,OACgB;AAAA,EAChB,MAAM,IAAI,cAAc,YAAY;AAAA,EACpC,IAAI,CAAC;AAAA,IAAG,OAAO;AAAA,EACf,OACE,MAAM,cAAc,EAAE,kBAAmB,MACzC,MAAM,eAAe,EAAE,mBAAoB;AAAA;",
+  "debugId": "4DD95AFC388E4B9664756E2164756E21",
+  "names": []
+}

package/dist/src/queue/listener.d.ts

@@ -1,3 +1,12 @@
-declare function listen(channel: string, callback: (payload?: string) => void): Promise<() => Promise<void>>;
-declare function notify(channel: string, payload?: string): Promise<void>;
+interface ListenOptions {
+	/**
+	* Connection string to LISTEN on. Defaults to `process.env.DATABASE_URL`.
+	* In dual-DB mode, pass `SOURCE_DATABASE_URL` for indexer-fired channels
+	* (`indexer:new_block`, `subgraph_reorg`, `tx:confirmed`) and
+	* `TARGET_DATABASE_URL` for tenant-local channels (`subgraph_changes`).
+	*/
+	connectionString?: string;
+}
+declare function listen(channel: string, callback: (payload?: string) => void, opts?: ListenOptions): Promise<() => Promise<void>>;
+declare function notify(channel: string, payload?: string, opts?: ListenOptions): Promise<void>;
 export { notify, listen };

package/dist/src/queue/listener.js

@@ -16,12 +16,15 @@ var __export = (target, all) => {
 
 // src/queue/listener.ts
 import postgres from "postgres";
-async function listen(channel, callback) {
-  const connectionString = process.env.DATABASE_URL;
-  if (!connectionString) {
-    throw new Error("DATABASE_URL is required");
+function resolveUrl(opts) {
+  const url = opts?.connectionString ?? process.env.DATABASE_URL;
+  if (!url) {
+    throw new Error("listen/notify requires a connection string (opts.connectionString or DATABASE_URL)");
   }
-  const client = postgres(connectionString, {
+  return url;
+}
+async function listen(channel, callback, opts) {
+  const client = postgres(resolveUrl(opts), {
     max: 1,
     onnotice: () => {}
   });
@@ -32,12 +35,8 @@ async function listen(channel, callback) {
     await client.end();
   };
 }
-async function notify(channel, payload) {
-  const connectionString = process.env.DATABASE_URL;
-  if (!connectionString) {
-    throw new Error("DATABASE_URL is required");
-  }
-  const client = postgres(connectionString, { max: 1 });
+async function notify(channel, payload, opts) {
+  const client = postgres(resolveUrl(opts), { max: 1 });
   try {
     if (payload) {
       await client`SELECT pg_notify(${channel}, ${payload})`;
@@ -53,5 +52,5 @@ export {
   listen
 };
 
-//# debugId=BC1D53C4E8438D5E64756E2164756E21
+//# debugId=B44CC52F9682E31564756E2164756E21
 //# sourceMappingURL=listener.js.map

package/dist/src/queue/listener.js.map

@@ -2,9 +2,9 @@
   "version": 3,
   "sources": ["../src/queue/listener.ts"],
   "sourcesContent": [
-    "import postgres from \"postgres\";\n\nexport async function listen(\n\tchannel: string,\n\tcallback: (payload?: string) => void,\n): Promise<() => Promise<void>> {\n\tconst connectionString = process.env.DATABASE_URL;\n\tif (!connectionString) {\n\t\tthrow new Error(\"DATABASE_URL is required\");\n\t}\n\n\tconst client = postgres(connectionString, {\n\t\tmax: 1,\n\t\tonnotice: () => {},\n\t});\n\n\tawait client.listen(channel, (payload) => {\n\t\tcallback(payload);\n\t});\n\n\treturn async () => {\n\t\tawait client.end();\n\t};\n}\n\nexport async function notify(channel: string, payload?: string): Promise<void> {\n\tconst connectionString = process.env.DATABASE_URL;\n\tif (!connectionString) {\n\t\tthrow new Error(\"DATABASE_URL is required\");\n\t}\n\n\tconst client = postgres(connectionString, { max: 1 });\n\n\ttry {\n\t\tif (payload) {\n\t\t\tawait client`SELECT pg_notify(${channel}, ${payload})`;\n\t\t} else {\n\t\t\tawait client`SELECT pg_notify(${channel}, '')`;\n\t\t}\n\t} finally {\n\t\tawait client.end();\n\t}\n}\n"
+    "import postgres from \"postgres\";\n\ninterface ListenOptions {\n\t/**\n\t * Connection string to LISTEN on. Defaults to `process.env.DATABASE_URL`.\n\t * In dual-DB mode, pass `SOURCE_DATABASE_URL` for indexer-fired channels\n\t * (`indexer:new_block`, `subgraph_reorg`, `tx:confirmed`) and\n\t * `TARGET_DATABASE_URL` for tenant-local channels (`subgraph_changes`).\n\t */\n\tconnectionString?: string;\n}\n\nfunction resolveUrl(opts?: ListenOptions): string {\n\tconst url = opts?.connectionString ?? process.env.DATABASE_URL;\n\tif (!url) {\n\t\tthrow new Error(\n\t\t\t\"listen/notify requires a connection string (opts.connectionString or DATABASE_URL)\",\n\t\t);\n\t}\n\treturn url;\n}\n\nexport async function listen(\n\tchannel: string,\n\tcallback: (payload?: string) => void,\n\topts?: ListenOptions,\n): Promise<() => Promise<void>> {\n\tconst client = postgres(resolveUrl(opts), {\n\t\tmax: 1,\n\t\tonnotice: () => {},\n\t});\n\n\tawait client.listen(channel, (payload) => {\n\t\tcallback(payload);\n\t});\n\n\treturn async () => {\n\t\tawait client.end();\n\t};\n}\n\nexport async function notify(\n\tchannel: string,\n\tpayload?: string,\n\topts?: ListenOptions,\n): Promise<void> {\n\tconst client = postgres(resolveUrl(opts), { max: 1 });\n\n\ttry {\n\t\tif (payload) {\n\t\t\tawait client`SELECT pg_notify(${channel}, ${payload})`;\n\t\t} else {\n\t\t\tawait client`SELECT pg_notify(${channel}, '')`;\n\t\t}\n\t} finally {\n\t\tawait client.end();\n\t}\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAEA,eAAsB,MAAM,CAC3B,SACA,UAC+B;AAAA,EAC/B,MAAM,mBAAmB,QAAQ,IAAI;AAAA,EACrC,IAAI,CAAC,kBAAkB;AAAA,IACtB,MAAM,IAAI,MAAM,0BAA0B;AAAA,EAC3C;AAAA,EAEA,MAAM,SAAS,SAAS,kBAAkB;AAAA,IACzC,KAAK;AAAA,IACL,UAAU,MAAM;AAAA,EACjB,CAAC;AAAA,EAED,MAAM,OAAO,OAAO,SAAS,CAAC,YAAY;AAAA,IACzC,SAAS,OAAO;AAAA,GAChB;AAAA,EAED,OAAO,YAAY;AAAA,IAClB,MAAM,OAAO,IAAI;AAAA;AAAA;AAInB,eAAsB,MAAM,CAAC,SAAiB,SAAiC;AAAA,EAC9E,MAAM,mBAAmB,QAAQ,IAAI;AAAA,EACrC,IAAI,CAAC,kBAAkB;AAAA,IACtB,MAAM,IAAI,MAAM,0BAA0B;AAAA,EAC3C;AAAA,EAEA,MAAM,SAAS,SAAS,kBAAkB,EAAE,KAAK,EAAE,CAAC;AAAA,EAEpD,IAAI;AAAA,IACH,IAAI,SAAS;AAAA,MACZ,MAAM,0BAA0B,YAAY;AAAA,IAC7C,EAAO;AAAA,MACN,MAAM,0BAA0B;AAAA;AAAA,YAEhC;AAAA,IACD,MAAM,OAAO,IAAI;AAAA;AAAA;",
-  "debugId": "BC1D53C4E8438D5E64756E2164756E21",
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAYA,SAAS,UAAU,CAAC,MAA8B;AAAA,EACjD,MAAM,MAAM,MAAM,oBAAoB,QAAQ,IAAI;AAAA,EAClD,IAAI,CAAC,KAAK;AAAA,IACT,MAAM,IAAI,MACT,oFACD;AAAA,EACD;AAAA,EACA,OAAO;AAAA;AAGR,eAAsB,MAAM,CAC3B,SACA,UACA,MAC+B;AAAA,EAC/B,MAAM,SAAS,SAAS,WAAW,IAAI,GAAG;AAAA,IACzC,KAAK;AAAA,IACL,UAAU,MAAM;AAAA,EACjB,CAAC;AAAA,EAED,MAAM,OAAO,OAAO,SAAS,CAAC,YAAY;AAAA,IACzC,SAAS,OAAO;AAAA,GAChB;AAAA,EAED,OAAO,YAAY;AAAA,IAClB,MAAM,OAAO,IAAI;AAAA;AAAA;AAInB,eAAsB,MAAM,CAC3B,SACA,SACA,MACgB;AAAA,EAChB,MAAM,SAAS,SAAS,WAAW,IAAI,GAAG,EAAE,KAAK,EAAE,CAAC;AAAA,EAEpD,IAAI;AAAA,IACH,IAAI,SAAS;AAAA,MACZ,MAAM,0BAA0B,YAAY;AAAA,IAC7C,EAAO;AAAA,MACN,MAAM,0BAA0B;AAAA;AAAA,YAEhC;AAAA,IACD,MAAM,OAAO,IAAI;AAAA;AAAA;",
+  "debugId": "B44CC52F9682E31564756E2164756E21",
   "names": []
 }

package/dist/src/types.d.ts

@@ -48,6 +48,16 @@ type IndexProgress = Selectable<IndexProgressTable>;
 type InsertIndexProgress = Insertable<IndexProgressTable>;
 interface EnvSchemaOutput {
 	DATABASE_URL?: string;
+	/**
+	* Shared indexer DB (blocks/txs/events). Falls back to DATABASE_URL.
+	* Set this alongside TARGET_DATABASE_URL to enable dual-DB mode.
+	*/
+	SOURCE_DATABASE_URL?: string;
+	/**
+	* Tenant DB (subgraph schemas + subgraphs table). Falls back to DATABASE_URL.
+	* Set this alongside SOURCE_DATABASE_URL to enable dual-DB mode.
+	*/
+	TARGET_DATABASE_URL?: string;
 	NETWORK?: "mainnet" | "testnet";
 	NETWORKS?: ("mainnet" | "testnet")[];
 	LOG_LEVEL: "debug" | "info" | "warn" | "error";

package/migrations/0033_workflow_steps_memo_key.ts

@@ -0,0 +1,54 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * v2 step memoization:
+ *
+ * 1. `memo_key` — SHA-256 of `(stepId, canonicalJSON(stableInputs))`. Replaces
+ *    the v1 `(run_id, step_id)` lookup so that editing a prompt in source
+ *    invalidates the cache on the next run. Partial UNIQUE allows legacy
+ *    pre-v2 rows with NULL memo_key to coexist.
+ *
+ * 2. `parent_step_id` — nullable self-FK for sub-step rows. AI tool calls
+ *    inside `generateText`/`generateObject` persist as children of the
+ *    parent AI step; on retry, previously successful tool calls return
+ *    cached results instead of re-invoking `execute`.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await db.schema
+		.alterTable("workflow_steps")
+		.addColumn("memo_key", "text")
+		.addColumn("parent_step_id", "uuid", (c) =>
+			c.references("workflow_steps.id").onDelete("cascade"),
+		)
+		.execute();
+
+	// Drop v1 composite UNIQUE. Replaced by memo_key-based UNIQUE below.
+	await sql`DROP INDEX IF EXISTS workflow_steps_dedup_idx`.execute(db);
+
+	// Partial UNIQUE: only constrain rows with memo_key set (v2 rows).
+	// Legacy NULL memo_key rows coexist without constraint violations.
+	await sql`CREATE UNIQUE INDEX workflow_steps_memo_idx ON workflow_steps (run_id, memo_key) WHERE memo_key IS NOT NULL`.execute(
+		db,
+	);
+
+	// Fan-out lookup for sub-step tool-call replay.
+	await sql`CREATE INDEX workflow_steps_parent_idx ON workflow_steps (parent_step_id) WHERE parent_step_id IS NOT NULL`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS workflow_steps_parent_idx`.execute(db);
+	await sql`DROP INDEX IF EXISTS workflow_steps_memo_idx`.execute(db);
+
+	// Restore v1 composite UNIQUE.
+	await sql`CREATE UNIQUE INDEX workflow_steps_dedup_idx ON workflow_steps (run_id, step_id)`.execute(
+		db,
+	);
+
+	await db.schema
+		.alterTable("workflow_steps")
+		.dropColumn("parent_step_id")
+		.dropColumn("memo_key")
+		.execute();
+}

package/migrations/0034_workflow_signer_secrets.ts

@@ -0,0 +1,42 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Workflow signer secrets — HMAC shared secrets used by the runner to
+ * authenticate requests to customer-hosted remote signer endpoints.
+ *
+ * Stored per-account, keyed by a user-chosen name referenced via
+ * `signer.remote({ hmacRef: "<name>" })` in workflow source. The
+ * `encrypted_value` column holds the secret encrypted at rest (runner
+ * KMS-decrypts on read). This separation lets customers rotate secrets
+ * without redeploying every workflow that references them.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await db.schema
+		.createTable("workflow_signer_secrets")
+		.addColumn("id", "uuid", (c) =>
+			c.primaryKey().defaultTo(sql`gen_random_uuid()`),
+		)
+		.addColumn("account_id", "uuid", (c) =>
+			c.notNull().references("accounts.id").onDelete("cascade"),
+		)
+		.addColumn("name", "text", (c) => c.notNull())
+		.addColumn("encrypted_value", "bytea", (c) => c.notNull())
+		.addColumn("created_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.addColumn("updated_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.execute();
+
+	await sql`CREATE UNIQUE INDEX workflow_signer_secrets_account_name_idx ON workflow_signer_secrets (account_id, name)`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS workflow_signer_secrets_account_name_idx`.execute(
+		db,
+	);
+	await db.schema.dropTable("workflow_signer_secrets").execute();
+}

package/migrations/0035_workflow_budgets.ts

@@ -0,0 +1,53 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Workflow budget counters — one row per `(workflow_definition_id, period)`.
+ * The runner increments these in `budget/enforcer.ts` after each AI/chain/
+ * run event and refuses further work when any configured cap is reached.
+ *
+ * `period` is a string key derived from the `WorkflowDefinition.budget.reset`
+ * setting and the current wall-clock: `"daily:2026-04-17"`,
+ * `"weekly:2026-W16"`, or `"per-run:<runId>"`. Old periods are retained for
+ * historical observability (budget burn-down view); a weekly TTL cron
+ * prunes them past 30 days of history.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await db.schema
+		.createTable("workflow_budgets")
+		.addColumn("id", "uuid", (c) =>
+			c.primaryKey().defaultTo(sql`gen_random_uuid()`),
+		)
+		.addColumn("workflow_definition_id", "uuid", (c) =>
+			c.notNull().references("workflow_definitions.id").onDelete("cascade"),
+		)
+		.addColumn("period", "text", (c) => c.notNull())
+		.addColumn("ai_usd_used", "numeric(12, 4)", (c) => c.notNull().defaultTo(0))
+		.addColumn("ai_tokens_used", "bigint", (c) => c.notNull().defaultTo(0))
+		.addColumn("chain_microstx_used", "numeric(30, 0)", (c) =>
+			c.notNull().defaultTo(0),
+		)
+		.addColumn("chain_tx_count", "integer", (c) => c.notNull().defaultTo(0))
+		.addColumn("run_count", "integer", (c) => c.notNull().defaultTo(0))
+		.addColumn("step_count", "integer", (c) => c.notNull().defaultTo(0))
+		.addColumn("reset_at", "timestamptz", (c) => c.notNull())
+		.addColumn("created_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.addColumn("updated_at", "timestamptz", (c) =>
+			c.notNull().defaultTo(sql`now()`),
+		)
+		.execute();
+
+	await sql`CREATE UNIQUE INDEX workflow_budgets_def_period_idx ON workflow_budgets (workflow_definition_id, period)`.execute(
+		db,
+	);
+	await sql`CREATE INDEX workflow_budgets_reset_at_idx ON workflow_budgets (reset_at)`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS workflow_budgets_reset_at_idx`.execute(db);
+	await sql`DROP INDEX IF EXISTS workflow_budgets_def_period_idx`.execute(db);
+	await db.schema.dropTable("workflow_budgets").execute();
+}

package/migrations/0036_tx_confirmed_notify.ts

@@ -0,0 +1,36 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * pg_notify trigger on the core `transactions` table. Fires on INSERT and
+ * publishes the txid on the `tx:confirmed` channel. The workflow runner's
+ * `confirmation/subgraph.ts` listens on this channel to resolve pending
+ * `broadcast({ awaitConfirmation: true })` promises.
+ *
+ * Payload is just the tx_id — listeners dedupe + look up details
+ * themselves. Keeping the payload small keeps pg_notify throughput high.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`
+    CREATE OR REPLACE FUNCTION notify_tx_confirmed() RETURNS trigger AS $$
+    BEGIN
+      PERFORM pg_notify('tx:confirmed', NEW.tx_id);
+      RETURN NEW;
+    END;
+    $$ LANGUAGE plpgsql;
+  `.execute(db);
+
+	await sql`
+    DROP TRIGGER IF EXISTS tx_confirmed_notify ON transactions;
+    CREATE TRIGGER tx_confirmed_notify
+    AFTER INSERT ON transactions
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_tx_confirmed();
+  `.execute(db);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP TRIGGER IF EXISTS tx_confirmed_notify ON transactions`.execute(
+		db,
+	);
+	await sql`DROP FUNCTION IF EXISTS notify_tx_confirmed()`.execute(db);
+}

package/migrations/0037_nullable_api_key.ts

@@ -0,0 +1,35 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Make `subgraphs.api_key_id` nullable to support oss/dedicated modes where
+ * there's no per-tenant API key concept. In platform mode the column stays
+ * populated on every insert; in oss/dedicated it's NULL.
+ *
+ * A partial unique index on `(name) WHERE api_key_id IS NULL` enforces the
+ * single-tenant constraint: within a non-platform instance, subgraph names
+ * are globally unique (there's only one "tenant"). Platform mode's existing
+ * uniqueness constraint on `(api_key_id, name)` stays in place for the
+ * multi-tenant case.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	// Fail fast instead of hanging when a live service holds ACCESS SHARE on
+	// `subgraphs` (e.g. subgraph-processor's 5s poll). Deploy script stops
+	// dependent services before running migrations — this is a safety net.
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`ALTER TABLE subgraphs ALTER COLUMN api_key_id DROP NOT NULL`.execute(
+		db,
+	);
+	await sql`
+		CREATE UNIQUE INDEX IF NOT EXISTS subgraphs_name_unique_no_key
+		ON subgraphs (name)
+		WHERE api_key_id IS NULL
+	`.execute(db);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS subgraphs_name_unique_no_key`.execute(db);
+	// Intentionally does NOT re-add NOT NULL — any rows inserted while the
+	// constraint was relaxed would break the migration. Operators should
+	// backfill api_key_id before re-applying NOT NULL manually if desired.
+}

package/migrations/0038_drop_workflow_tables.ts

@@ -0,0 +1,46 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Drops all workflow-related tables + the `tx_confirmed_notify` trigger.
+ *
+ * Workflows are going on the back burner while we ship dedicated-hosted
+ * subgraphs. We've learned enough from building the subgraph tenant model
+ * that reviving workflows later can follow the same dedicated-per-tenant
+ * pattern with a fresh schema designed for that architecture — no reason
+ * to keep dormant tables on the shared platform DB.
+ *
+ * Tables dropped (in FK-safe order via CASCADE):
+ *   workflow_steps, workflow_runs, workflow_queue, workflow_schedules,
+ *   workflow_cursors, workflow_signer_secrets, workflow_budgets,
+ *   workflow_definitions
+ *
+ * Also drops `tx_confirmed_notify` — nobody listens on `tx:confirmed` now
+ * that workflow-runner is unmounted. The trigger fires on every
+ * transactions insert (indexer hot path), so leaving it is wasted work.
+ *
+ * `down` is intentionally a no-op. When workflows revive, they get fresh
+ * migrations designed for the tenant model — don't try to reverse into the
+ * old platform-shared schema.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`DROP TRIGGER IF EXISTS tx_confirmed_notify ON transactions`.execute(
+		db,
+	);
+	await sql`DROP FUNCTION IF EXISTS notify_tx_confirmed()`.execute(db);
+
+	await sql`DROP TABLE IF EXISTS workflow_steps CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_runs CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_queue CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_schedules CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_cursors CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_signer_secrets CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_budgets CASCADE`.execute(db);
+	await sql`DROP TABLE IF EXISTS workflow_definitions CASCADE`.execute(db);
+}
+
+export async function down(_db: Kysely<unknown>): Promise<void> {
+	// Intentional no-op. Revived workflows will use fresh migrations sized
+	// for the tenant-per-customer model.
+}

package/migrations/0039_tenants.ts

@@ -0,0 +1,66 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Dedicated-hosting tenant registry.
+ *
+ * One row per customer instance. Provisioner is stateless — it does Docker
+ * ops + returns values; control plane (this table) owns the persistent
+ * mapping between accounts and their per-tenant stack.
+ *
+ * Encrypted fields use `packages/shared/src/crypto/secrets.ts` (AES-GCM
+ * envelope keyed by `SECONDLAYER_SECRETS_KEY`). Never log them in plaintext.
+ *
+ * Storage is soft-enforced: `storage_used_mb` is updated by the health
+ * cron; alerts + overage billing live in the control plane, not the DB.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`
+		CREATE TABLE tenants (
+			id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+			account_id uuid NOT NULL REFERENCES accounts(id) ON DELETE RESTRICT,
+			slug text NOT NULL UNIQUE,
+			status text NOT NULL DEFAULT 'provisioning',
+
+			plan text NOT NULL,
+			cpus numeric(4,2) NOT NULL,
+			memory_mb integer NOT NULL,
+			storage_limit_mb integer NOT NULL,
+			storage_used_mb integer,
+
+			pg_container_id text,
+			api_container_id text,
+			processor_container_id text,
+
+			target_database_url_enc bytea NOT NULL,
+			tenant_jwt_secret_enc bytea NOT NULL,
+			anon_key_enc bytea NOT NULL,
+			service_key_enc bytea NOT NULL,
+
+			api_url_internal text NOT NULL,
+			api_url_public text NOT NULL,
+
+			trial_ends_at timestamptz NOT NULL,
+			suspended_at timestamptz,
+			last_health_check_at timestamptz,
+
+			created_at timestamptz NOT NULL DEFAULT now(),
+			updated_at timestamptz NOT NULL DEFAULT now()
+		)
+	`.execute(db);
+
+	await sql`CREATE INDEX tenants_account_idx ON tenants (account_id)`.execute(
+		db,
+	);
+	await sql`CREATE INDEX tenants_status_idx ON tenants (status) WHERE status <> 'deleted'`.execute(
+		db,
+	);
+	await sql`CREATE INDEX tenants_trial_ends_idx ON tenants (trial_ends_at) WHERE status IN ('provisioning', 'active')`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP TABLE IF EXISTS tenants`.execute(db);
+}

package/migrations/0040_tenant_key_generations.ts

@@ -0,0 +1,29 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Per-tenant key generation counters. Each JWT carries a `gen` claim; the
+ * tenant API rejects tokens whose `gen` doesn't match the current counter
+ * for that role. Bumping a counter invalidates all JWTs of that role
+ * immediately, without rotating the signing secret (which would force
+ * both keys to rotate together).
+ *
+ * UX: user can rotate service alone (leaked server-side key) OR anon alone
+ * (client-side embedding exposed) OR both together (offboarding panic).
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`
+		ALTER TABLE tenants
+			ADD COLUMN service_gen integer NOT NULL DEFAULT 1,
+			ADD COLUMN anon_gen integer NOT NULL DEFAULT 1
+	`.execute(db);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`
+		ALTER TABLE tenants
+			DROP COLUMN IF EXISTS service_gen,
+			DROP COLUMN IF EXISTS anon_gen
+	`.execute(db);
+}