@secondlayer/shared 1.1.0 → 2.0.0

package/migrations/0039_tenants.ts

@@ -0,0 +1,66 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Dedicated-hosting tenant registry.
+ *
+ * One row per customer instance. Provisioner is stateless — it does Docker
+ * ops + returns values; control plane (this table) owns the persistent
+ * mapping between accounts and their per-tenant stack.
+ *
+ * Encrypted fields use `packages/shared/src/crypto/secrets.ts` (AES-GCM
+ * envelope keyed by `SECONDLAYER_SECRETS_KEY`). Never log them in plaintext.
+ *
+ * Storage is soft-enforced: `storage_used_mb` is updated by the health
+ * cron; alerts + overage billing live in the control plane, not the DB.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`
+		CREATE TABLE tenants (
+			id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+			account_id uuid NOT NULL REFERENCES accounts(id) ON DELETE RESTRICT,
+			slug text NOT NULL UNIQUE,
+			status text NOT NULL DEFAULT 'provisioning',
+
+			plan text NOT NULL,
+			cpus numeric(4,2) NOT NULL,
+			memory_mb integer NOT NULL,
+			storage_limit_mb integer NOT NULL,
+			storage_used_mb integer,
+
+			pg_container_id text,
+			api_container_id text,
+			processor_container_id text,
+
+			target_database_url_enc bytea NOT NULL,
+			tenant_jwt_secret_enc bytea NOT NULL,
+			anon_key_enc bytea NOT NULL,
+			service_key_enc bytea NOT NULL,
+
+			api_url_internal text NOT NULL,
+			api_url_public text NOT NULL,
+
+			trial_ends_at timestamptz NOT NULL,
+			suspended_at timestamptz,
+			last_health_check_at timestamptz,
+
+			created_at timestamptz NOT NULL DEFAULT now(),
+			updated_at timestamptz NOT NULL DEFAULT now()
+		)
+	`.execute(db);
+
+	await sql`CREATE INDEX tenants_account_idx ON tenants (account_id)`.execute(
+		db,
+	);
+	await sql`CREATE INDEX tenants_status_idx ON tenants (status) WHERE status <> 'deleted'`.execute(
+		db,
+	);
+	await sql`CREATE INDEX tenants_trial_ends_idx ON tenants (trial_ends_at) WHERE status IN ('provisioning', 'active')`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP TABLE IF EXISTS tenants`.execute(db);
+}

package/migrations/0040_tenant_key_generations.ts

@@ -0,0 +1,29 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Per-tenant key generation counters. Each JWT carries a `gen` claim; the
+ * tenant API rejects tokens whose `gen` doesn't match the current counter
+ * for that role. Bumping a counter invalidates all JWTs of that role
+ * immediately, without rotating the signing secret (which would force
+ * both keys to rotate together).
+ *
+ * UX: user can rotate service alone (leaked server-side key) OR anon alone
+ * (client-side embedding exposed) OR both together (offboarding panic).
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`
+		ALTER TABLE tenants
+			ADD COLUMN service_gen integer NOT NULL DEFAULT 1,
+			ADD COLUMN anon_gen integer NOT NULL DEFAULT 1
+	`.execute(db);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`
+		ALTER TABLE tenants
+			DROP COLUMN IF EXISTS service_gen,
+			DROP COLUMN IF EXISTS anon_gen
+	`.execute(db);
+}

package/migrations/0041_subgraphs_drop_api_key_id.ts

@@ -0,0 +1,49 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Post-cutover cleanup: drop `subgraphs.api_key_id` and the partial unique
+ * index that went with nullable-api-key-id handling. Every subgraph lives in
+ * a tenant DB now; tenants authenticate via JWT (TENANT_JWT_SECRET), not
+ * per-account API keys — so this column has been dead weight since migration
+ * 0037 made it nullable.
+ *
+ * Runs against BOTH the platform DB and every tenant DB (migrations share
+ * the same list). The platform DB's `subgraphs` table is manually dropped
+ * as a one-off operation AFTER this migration (see Phase 2 cutover notes).
+ *
+ * Restores the simple `UNIQUE (name)` constraint the table started with —
+ * tenant subgraphs were always name-unique within a tenant.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+
+	await sql`DROP INDEX IF EXISTS subgraphs_name_unique_no_key`.execute(db);
+	await sql`ALTER TABLE subgraphs DROP COLUMN IF EXISTS api_key_id`.execute(db);
+	// Re-add the simple name-unique constraint if it's not already there
+	// (noop if it was never dropped in a prior migration).
+	await sql`
+		DO $$
+		BEGIN
+			IF NOT EXISTS (
+				SELECT 1 FROM pg_constraint
+				WHERE conname = 'subgraphs_name_unique'
+			) THEN
+				ALTER TABLE subgraphs ADD CONSTRAINT subgraphs_name_unique UNIQUE (name);
+			END IF;
+		END$$
+	`.execute(db);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`ALTER TABLE subgraphs DROP CONSTRAINT IF EXISTS subgraphs_name_unique`.execute(
+		db,
+	);
+	await sql`ALTER TABLE subgraphs ADD COLUMN IF NOT EXISTS api_key_id text`.execute(
+		db,
+	);
+	await sql`
+		CREATE UNIQUE INDEX IF NOT EXISTS subgraphs_name_unique_no_key
+		ON subgraphs (name)
+		WHERE api_key_id IS NULL
+	`.execute(db);
+}

package/migrations/0042_tenant_project_id.ts

@@ -0,0 +1,25 @@
+import { type Kysely, sql } from "kysely";
+
+/**
+ * Link tenants to projects (1:1 enforced at application layer today;
+ * schema supports 1:N for future branching).
+ *
+ * `ON DELETE SET NULL` so a project delete doesn't cascade into tenant
+ * teardown — the tenant row stays (with project_id = NULL) until explicit
+ * teardown via the provisioner.
+ */
+export async function up(db: Kysely<unknown>): Promise<void> {
+	await sql`SET lock_timeout = '30s'`.execute(db);
+	await sql`
+		ALTER TABLE tenants
+			ADD COLUMN project_id uuid REFERENCES projects(id) ON DELETE SET NULL
+	`.execute(db);
+	await sql`CREATE INDEX IF NOT EXISTS tenants_project_idx ON tenants (project_id)`.execute(
+		db,
+	);
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await sql`DROP INDEX IF EXISTS tenants_project_idx`.execute(db);
+	await sql`ALTER TABLE tenants DROP COLUMN IF EXISTS project_id`.execute(db);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@secondlayer/shared",
-	"version": "1.1.0",
+	"version": "2.0.0",
 	"type": "module",
 	"main": "./dist/src/index.js",
 	"types": "./dist/src/index.d.ts",
@@ -73,6 +73,10 @@
 			"types": "./dist/src/db/queries/workflows.d.ts",
 			"import": "./dist/src/db/queries/workflows.js"
 		},
+		"./db/queries/tenants": {
+			"types": "./dist/src/db/queries/tenants.d.ts",
+			"import": "./dist/src/db/queries/tenants.js"
+		},
 		"./db/queries/marketplace": {
 			"types": "./dist/src/db/queries/marketplace.d.ts",
 			"import": "./dist/src/db/queries/marketplace.js"
@@ -89,6 +93,10 @@
 			"types": "./dist/src/env.d.ts",
 			"import": "./dist/src/env.js"
 		},
+		"./mode": {
+			"types": "./dist/src/mode.d.ts",
+			"import": "./dist/src/mode.js"
+		},
 		"./logger": {
 			"types": "./dist/src/logger.d.ts",
 			"import": "./dist/src/logger.js"