@secondlayer/shared 1.1.0 → 2.0.0

package/dist/src/db/queries/tenants.d.ts

@@ -0,0 +1,493 @@
+import { Kysely } from "kysely";
+import { ColumnType, Generated, Selectable } from "kysely";
+interface BlocksTable {
+	height: number;
+	hash: string;
+	parent_hash: string;
+	burn_block_height: number;
+	timestamp: number;
+	canonical: Generated<boolean>;
+	created_at: Generated<Date>;
+}
+interface TransactionsTable {
+	tx_id: string;
+	block_height: number;
+	tx_index: Generated<number>;
+	type: string;
+	sender: string;
+	status: string;
+	contract_id: string | null;
+	function_name: string | null;
+	function_args: Generated<unknown | null>;
+	raw_result: Generated<string | null>;
+	raw_tx: string;
+	created_at: Generated<Date>;
+}
+interface EventsTable {
+	id: Generated<string>;
+	tx_id: string;
+	block_height: number;
+	event_index: number;
+	type: string;
+	data: unknown;
+	created_at: Generated<Date>;
+}
+interface IndexProgressTable {
+	network: string;
+	last_indexed_block: Generated<number>;
+	last_contiguous_block: Generated<number>;
+	highest_seen_block: Generated<number>;
+	updated_at: Generated<Date>;
+}
+interface SubgraphsTable {
+	id: Generated<string>;
+	name: string;
+	version: Generated<string>;
+	status: Generated<string>;
+	definition: Record<string, unknown>;
+	schema_hash: string;
+	handler_path: string;
+	schema_name: string | null;
+	start_block: Generated<number>;
+	last_processed_block: Generated<number>;
+	reindex_from_block: number | null;
+	reindex_to_block: number | null;
+	last_error: string | null;
+	last_error_at: Date | null;
+	total_processed: Generated<number>;
+	total_errors: Generated<number>;
+	account_id: string;
+	handler_code: string | null;
+	source_code: string | null;
+	project_id: string | null;
+	is_public: Generated<boolean>;
+	tags: Generated<string[]>;
+	description: string | null;
+	forked_from_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface SubgraphGapsTable {
+	id: Generated<string>;
+	subgraph_id: string;
+	subgraph_name: string;
+	gap_start: number;
+	gap_end: number;
+	reason: string;
+	detected_at: Generated<Date>;
+	resolved_at: Date | null;
+}
+interface ApiKeysTable {
+	id: Generated<string>;
+	key_hash: string;
+	key_prefix: string;
+	name: string | null;
+	status: Generated<string>;
+	rate_limit: Generated<number>;
+	ip_address: string;
+	account_id: string;
+	last_used_at: Date | null;
+	revoked_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface AccountsTable {
+	id: Generated<string>;
+	email: string;
+	plan: Generated<string>;
+	display_name: string | null;
+	bio: string | null;
+	avatar_url: string | null;
+	slug: string | null;
+	created_at: Generated<Date>;
+}
+interface SessionsTable {
+	id: Generated<string>;
+	token_hash: string;
+	token_prefix: string;
+	account_id: string;
+	ip_address: string;
+	expires_at: Generated<Date>;
+	revoked_at: Date | null;
+	last_used_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface MagicLinksTable {
+	id: Generated<string>;
+	email: string;
+	token: string;
+	code: string | null;
+	expires_at: Date;
+	used_at: Date | null;
+	failed_attempts: Generated<number>;
+	created_at: Generated<Date>;
+}
+interface UsageDailyTable {
+	account_id: string;
+	date: string;
+	api_requests: Generated<number>;
+	deliveries: Generated<number>;
+}
+interface UsageSnapshotsTable {
+	id: Generated<string>;
+	account_id: string;
+	measured_at: Generated<Date>;
+	storage_bytes: Generated<number>;
+}
+interface WaitlistTable {
+	id: Generated<string>;
+	email: string;
+	source: Generated<string>;
+	status: Generated<string>;
+	created_at: Generated<Date>;
+}
+interface AccountInsightsTable {
+	id: Generated<string>;
+	account_id: string;
+	category: string;
+	insight_type: string;
+	resource_id: string | null;
+	severity: string;
+	title: string;
+	body: string;
+	data: unknown;
+	dismissed_at: Date | null;
+	expires_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface AccountAgentRunsTable {
+	id: Generated<string>;
+	account_id: string;
+	started_at: Generated<Date>;
+	completed_at: Date | null;
+	status: Generated<string>;
+	input_tokens: Generated<number>;
+	output_tokens: Generated<number>;
+	cost_usd: Generated<number>;
+	insights_created: Generated<number>;
+	error: string | null;
+}
+interface SubgraphProcessingStatsTable {
+	id: Generated<string>;
+	subgraph_name: string;
+	api_key_id: string | null;
+	bucket_start: Date | null;
+	bucket_end: Date | null;
+	blocks_processed: number | null;
+	total_time_ms: number | null;
+	handler_time_ms: number | null;
+	flush_time_ms: number | null;
+	max_block_time_ms: number | null;
+	max_handler_time_ms: number | null;
+	avg_ops_per_block: number | null;
+	is_catchup: Generated<boolean>;
+	created_at: Generated<Date>;
+}
+interface SubgraphTableSnapshotsTable {
+	id: Generated<string>;
+	subgraph_name: string;
+	api_key_id: string | null;
+	table_name: string;
+	row_count: number | null;
+	created_at: Generated<Date>;
+}
+interface SubgraphHealthSnapshotsTable {
+	id: Generated<string>;
+	subgraph_id: string;
+	total_processed: number;
+	total_errors: number;
+	last_processed_block: number | null;
+	captured_at: Generated<Date>;
+}
+interface SubgraphUsageDailyTable {
+	subgraph_id: string;
+	date: string;
+	query_count: Generated<number>;
+}
+interface ProjectsTable {
+	id: Generated<string>;
+	name: string;
+	slug: string;
+	account_id: string;
+	settings: Generated<Record<string, unknown>>;
+	network: Generated<string>;
+	node_rpc: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface TeamMembersTable {
+	id: Generated<string>;
+	project_id: string;
+	account_id: string;
+	role: Generated<string>;
+	invited_by: string | null;
+	created_at: Generated<Date>;
+}
+interface TeamInvitationsTable {
+	id: Generated<string>;
+	project_id: string;
+	email: string;
+	role: Generated<string>;
+	token: string;
+	invited_by: string | null;
+	expires_at: Date;
+	accepted_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface ChatSessionsTable {
+	id: Generated<string>;
+	account_id: string;
+	title: string | null;
+	summary: unknown | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface ChatMessagesTable {
+	id: Generated<string>;
+	chat_session_id: string;
+	role: string;
+	parts: unknown;
+	metadata: unknown | null;
+	created_at: Generated<Date>;
+}
+interface WorkflowDefinitionsTable {
+	id: Generated<string>;
+	name: string;
+	version: Generated<string>;
+	status: Generated<string>;
+	trigger_type: string;
+	trigger_config: unknown;
+	handler_path: string;
+	source_code: string | null;
+	retries_config: unknown | null;
+	timeout_ms: number | null;
+	api_key_id: string;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowRunsTable {
+	id: Generated<string>;
+	definition_id: string;
+	status: Generated<string>;
+	trigger_type: string;
+	trigger_data: unknown | null;
+	dedup_key: string | null;
+	error: string | null;
+	started_at: Date | null;
+	completed_at: Date | null;
+	duration_ms: number | null;
+	total_ai_tokens: Generated<number>;
+	created_at: Generated<Date>;
+}
+interface WorkflowStepsTable {
+	id: Generated<string>;
+	run_id: string;
+	step_index: number;
+	step_id: string;
+	step_type: string;
+	status: Generated<string>;
+	input: unknown | null;
+	output: unknown | null;
+	error: string | null;
+	retry_count: Generated<number>;
+	ai_tokens_used: Generated<number>;
+	started_at: Date | null;
+	completed_at: Date | null;
+	duration_ms: number | null;
+	memo_key: string | null;
+	parent_step_id: string | null;
+	created_at: Generated<Date>;
+}
+interface WorkflowQueueTable {
+	id: Generated<string>;
+	run_id: string;
+	status: Generated<string>;
+	attempts: Generated<number>;
+	max_attempts: Generated<number>;
+	scheduled_for: Generated<Date>;
+	locked_at: Date | null;
+	locked_by: string | null;
+	error: string | null;
+	created_at: Generated<Date>;
+	completed_at: Date | null;
+}
+interface WorkflowSchedulesTable {
+	id: Generated<string>;
+	definition_id: string;
+	cron_expr: string;
+	timezone: Generated<string>;
+	next_run_at: Date;
+	last_run_at: Date | null;
+	enabled: Generated<boolean>;
+	created_at: Generated<Date>;
+}
+interface WorkflowCursorsTable {
+	name: string;
+	block_height: Generated<number>;
+	updated_at: Generated<Date>;
+}
+interface Database {
+	blocks: BlocksTable;
+	transactions: TransactionsTable;
+	events: EventsTable;
+	index_progress: IndexProgressTable;
+	subgraphs: SubgraphsTable;
+	api_keys: ApiKeysTable;
+	accounts: AccountsTable;
+	sessions: SessionsTable;
+	magic_links: MagicLinksTable;
+	usage_daily: UsageDailyTable;
+	usage_snapshots: UsageSnapshotsTable;
+	waitlist: WaitlistTable;
+	account_insights: AccountInsightsTable;
+	account_agent_runs: AccountAgentRunsTable;
+	subgraph_health_snapshots: SubgraphHealthSnapshotsTable;
+	subgraph_processing_stats: SubgraphProcessingStatsTable;
+	subgraph_table_snapshots: SubgraphTableSnapshotsTable;
+	subgraph_gaps: SubgraphGapsTable;
+	subgraph_usage_daily: SubgraphUsageDailyTable;
+	projects: ProjectsTable;
+	team_members: TeamMembersTable;
+	team_invitations: TeamInvitationsTable;
+	chat_sessions: ChatSessionsTable;
+	chat_messages: ChatMessagesTable;
+	workflow_definitions: WorkflowDefinitionsTable;
+	workflow_runs: WorkflowRunsTable;
+	workflow_steps: WorkflowStepsTable;
+	workflow_queue: WorkflowQueueTable;
+	workflow_schedules: WorkflowSchedulesTable;
+	workflow_cursors: WorkflowCursorsTable;
+	workflow_signer_secrets: WorkflowSignerSecretsTable;
+	workflow_budgets: WorkflowBudgetsTable;
+	tenants: TenantsTable;
+}
+type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
+interface TenantsTable {
+	id: Generated<string>;
+	account_id: string;
+	slug: string;
+	status: ColumnType<TenantStatus, TenantStatus | undefined, TenantStatus>;
+	plan: string;
+	cpus: ColumnType<number, number | string, number | string>;
+	memory_mb: number;
+	storage_limit_mb: number;
+	storage_used_mb: number | null;
+	pg_container_id: string | null;
+	api_container_id: string | null;
+	processor_container_id: string | null;
+	target_database_url_enc: Buffer;
+	tenant_jwt_secret_enc: Buffer;
+	anon_key_enc: Buffer;
+	service_key_enc: Buffer;
+	api_url_internal: string;
+	api_url_public: string;
+	trial_ends_at: Date;
+	suspended_at: Date | null;
+	last_health_check_at: Date | null;
+	service_gen: Generated<number>;
+	anon_gen: Generated<number>;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type Tenant = Selectable<TenantsTable>;
+interface WorkflowBudgetsTable {
+	id: Generated<string>;
+	workflow_definition_id: string;
+	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
+	period: string;
+	ai_usd_used: Generated<string>;
+	ai_tokens_used: Generated<string>;
+	chain_microstx_used: Generated<string>;
+	chain_tx_count: Generated<number>;
+	run_count: Generated<number>;
+	step_count: Generated<number>;
+	reset_at: Date;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface WorkflowSignerSecretsTable {
+	id: Generated<string>;
+	account_id: string;
+	name: string;
+	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
+	encrypted_value: Buffer;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+/**
+* Tenant registry queries. Encrypted columns are stored as `bytea` and
+* transparently encrypted/decrypted via `encryptSecret`/`decryptSecret`.
+*
+* Never return decrypted values from listTenants — only `getTenantCredentials`
+* surfaces plaintext, and only when explicitly called by a caller that
+* needs to hand creds to a CLI or dashboard session.
+*/
+interface NewTenantInput {
+	accountId: string;
+	slug: string;
+	plan: string;
+	cpus: number;
+	memoryMb: number;
+	storageLimitMb: number;
+	pgContainerId: string;
+	apiContainerId: string;
+	processorContainerId: string;
+	targetDatabaseUrl: string;
+	tenantJwtSecret: string;
+	anonKey: string;
+	serviceKey: string;
+	apiUrlInternal: string;
+	apiUrlPublic: string;
+	trialEndsAt: Date;
+	projectId?: string;
+}
+declare function insertTenant(db: Kysely<Database>, input: NewTenantInput): Promise<Tenant>;
+declare function getTenantByAccount(db: Kysely<Database>, accountId: string): Promise<Tenant | null>;
+declare function getTenantBySlug(db: Kysely<Database>, slug: string): Promise<Tenant | null>;
+declare function listTenantsByStatus(db: Kysely<Database>, status: TenantStatus): Promise<Tenant[]>;
+declare function listExpiredTrials(db: Kysely<Database>, now?: Date): Promise<Tenant[]>;
+declare function listSuspendedOlderThan(db: Kysely<Database>, olderThan: Date): Promise<Tenant[]>;
+declare function setTenantStatus(db: Kysely<Database>, slug: string, status: TenantStatus): Promise<void>;
+declare function recordHealthCheck(db: Kysely<Database>, slug: string, storageUsedMb: number | null): Promise<void>;
+declare function updateTenantPlan(db: Kysely<Database>, slug: string, plan: string, cpus: number, memoryMb: number, storageLimitMb: number): Promise<void>;
+type RotateType = "service" | "anon" | "both";
+/**
+* Bump the selected gen counter(s) by 1 and return the new values.
+* Used by the key-rotate endpoint to force the tenant API to reject
+* previously-issued tokens of the rotated role(s).
+*/
+declare function bumpTenantKeyGen(db: Kysely<Database>, slug: string, type: RotateType): Promise<{
+	serviceGen: number
+	anonGen: number
+}>;
+/**
+* Replace the encrypted key columns after a successful rotate. Only the
+* rotated column(s) are written — the other stays untouched.
+*/
+declare function updateTenantKeys(db: Kysely<Database>, slug: string, keys: {
+	serviceKey?: string
+	anonKey?: string
+}): Promise<void>;
+/**
+* Hard-delete a tenant row. Call only AFTER the provisioner has torn down
+* containers + volume; otherwise orphaned resources linger. Returns whether
+* a row was actually deleted.
+*/
+declare function deleteTenant(db: Kysely<Database>, slug: string): Promise<boolean>;
+interface TenantCredentials {
+	slug: string;
+	targetDatabaseUrl: string;
+	tenantJwtSecret: string;
+	anonKey: string;
+	serviceKey: string;
+	apiUrlInternal: string;
+	apiUrlPublic: string;
+}
+/**
+* Decrypts the four encrypted columns and returns them plaintext. Call
+* this only when surfacing credentials to an authorized caller (dashboard,
+* CLI). Never log the returned object.
+*/
+declare function getTenantCredentials(db: Kysely<Database>, slug: string): Promise<TenantCredentials | null>;
+export { updateTenantPlan, updateTenantKeys, setTenantStatus, recordHealthCheck, listTenantsByStatus, listSuspendedOlderThan, listExpiredTrials, insertTenant, getTenantCredentials, getTenantBySlug, getTenantByAccount, deleteTenant, bumpTenantKeyGen, TenantCredentials, RotateType, NewTenantInput };

package/dist/src/db/queries/tenants.js

@@ -0,0 +1,194 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/crypto/secrets.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
+var IV_LEN = 12;
+var TAG_LEN = 16;
+function loadKey() {
+  const hex = process.env[KEY_ENV];
+  if (!hex) {
+    throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+  }
+  const key = Buffer.from(hex, "hex");
+  if (key.length !== 32) {
+    throw new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);
+  }
+  return key;
+}
+var _cachedKey = null;
+function getKey() {
+  if (!_cachedKey)
+    _cachedKey = loadKey();
+  return _cachedKey;
+}
+function encryptSecret(plaintext) {
+  const key = getKey();
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ciphertext]);
+}
+function decryptSecret(envelope) {
+  const key = getKey();
+  const iv = envelope.subarray(0, IV_LEN);
+  const tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const ciphertext = envelope.subarray(IV_LEN + TAG_LEN);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext).toString("utf8") + decipher.final("utf8");
+}
+function generateSecretsKey() {
+  return randomBytes(32).toString("hex");
+}
+
+// src/db/queries/tenants.ts
+async function insertTenant(db, input) {
+  const row = {
+    account_id: input.accountId,
+    slug: input.slug,
+    status: "active",
+    plan: input.plan,
+    cpus: input.cpus,
+    memory_mb: input.memoryMb,
+    storage_limit_mb: input.storageLimitMb,
+    pg_container_id: input.pgContainerId,
+    api_container_id: input.apiContainerId,
+    processor_container_id: input.processorContainerId,
+    target_database_url_enc: encryptSecret(input.targetDatabaseUrl),
+    tenant_jwt_secret_enc: encryptSecret(input.tenantJwtSecret),
+    anon_key_enc: encryptSecret(input.anonKey),
+    service_key_enc: encryptSecret(input.serviceKey),
+    api_url_internal: input.apiUrlInternal,
+    api_url_public: input.apiUrlPublic,
+    trial_ends_at: input.trialEndsAt,
+    project_id: input.projectId ?? null
+  };
+  return db.insertInto("tenants").values(row).returningAll().executeTakeFirstOrThrow();
+}
+async function getTenantByAccount(db, accountId) {
+  const row = await db.selectFrom("tenants").selectAll().where("account_id", "=", accountId).where("status", "<>", "deleted").orderBy("created_at", "desc").executeTakeFirst();
+  return row ?? null;
+}
+async function getTenantBySlug(db, slug) {
+  const row = await db.selectFrom("tenants").selectAll().where("slug", "=", slug).executeTakeFirst();
+  return row ?? null;
+}
+async function listTenantsByStatus(db, status) {
+  return db.selectFrom("tenants").selectAll().where("status", "=", status).execute();
+}
+async function listExpiredTrials(db, now = new Date) {
+  return db.selectFrom("tenants").selectAll().where("status", "in", ["provisioning", "active"]).where("trial_ends_at", "<", now).execute();
+}
+async function listSuspendedOlderThan(db, olderThan) {
+  return db.selectFrom("tenants").selectAll().where("status", "=", "suspended").where("suspended_at", "<", olderThan).execute();
+}
+async function setTenantStatus(db, slug, status) {
+  const patch = {
+    status,
+    updated_at: new Date
+  };
+  if (status === "suspended")
+    patch.suspended_at = new Date;
+  if (status === "active")
+    patch.suspended_at = null;
+  await db.updateTable("tenants").set(patch).where("slug", "=", slug).execute();
+}
+async function recordHealthCheck(db, slug, storageUsedMb) {
+  await db.updateTable("tenants").set({
+    last_health_check_at: new Date,
+    storage_used_mb: storageUsedMb,
+    updated_at: new Date
+  }).where("slug", "=", slug).execute();
+}
+async function updateTenantPlan(db, slug, plan, cpus, memoryMb, storageLimitMb) {
+  await db.updateTable("tenants").set({
+    plan,
+    cpus,
+    memory_mb: memoryMb,
+    storage_limit_mb: storageLimitMb,
+    updated_at: new Date
+  }).where("slug", "=", slug).execute();
+}
+async function bumpTenantKeyGen(db, slug, type) {
+  const bumpService = type === "service" || type === "both";
+  const bumpAnon = type === "anon" || type === "both";
+  const row = await db.updateTable("tenants").set((eb) => ({
+    service_gen: bumpService ? eb("service_gen", "+", 1) : eb.ref("service_gen"),
+    anon_gen: bumpAnon ? eb("anon_gen", "+", 1) : eb.ref("anon_gen"),
+    updated_at: new Date
+  })).where("slug", "=", slug).returning(["service_gen", "anon_gen"]).executeTakeFirstOrThrow();
+  return { serviceGen: row.service_gen, anonGen: row.anon_gen };
+}
+async function updateTenantKeys(db, slug, keys) {
+  const patch = { updated_at: new Date };
+  if (keys.serviceKey)
+    patch.service_key_enc = encryptSecret(keys.serviceKey);
+  if (keys.anonKey)
+    patch.anon_key_enc = encryptSecret(keys.anonKey);
+  if (Object.keys(patch).length === 1)
+    return;
+  await db.updateTable("tenants").set(patch).where("slug", "=", slug).execute();
+}
+async function deleteTenant(db, slug) {
+  const res = await db.deleteFrom("tenants").where("slug", "=", slug).executeTakeFirst();
+  return (res.numDeletedRows ?? 0n) > 0n;
+}
+async function getTenantCredentials(db, slug) {
+  const row = await db.selectFrom("tenants").select([
+    "slug",
+    "target_database_url_enc",
+    "tenant_jwt_secret_enc",
+    "anon_key_enc",
+    "service_key_enc",
+    "api_url_internal",
+    "api_url_public"
+  ]).where("slug", "=", slug).executeTakeFirst();
+  if (!row)
+    return null;
+  return {
+    slug: row.slug,
+    targetDatabaseUrl: decryptSecret(row.target_database_url_enc),
+    tenantJwtSecret: decryptSecret(row.tenant_jwt_secret_enc),
+    anonKey: decryptSecret(row.anon_key_enc),
+    serviceKey: decryptSecret(row.service_key_enc),
+    apiUrlInternal: row.api_url_internal,
+    apiUrlPublic: row.api_url_public
+  };
+}
+export {
+  updateTenantPlan,
+  updateTenantKeys,
+  setTenantStatus,
+  recordHealthCheck,
+  listTenantsByStatus,
+  listSuspendedOlderThan,
+  listExpiredTrials,
+  insertTenant,
+  getTenantCredentials,
+  getTenantBySlug,
+  getTenantByAccount,
+  deleteTenant,
+  bumpTenantKeyGen
+};
+
+//# debugId=1D0DA0A21FCE7D7664756E2164756E21
+//# sourceMappingURL=tenants.js.map