npm - @secondlayer/shared - Versions diffs - 1.1.0 → 2.1.0 - Mend

@secondlayer/shared 1.1.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/dist/src/db/index.d.ts +89 -6
package/dist/src/db/index.js +53 -29
package/dist/src/db/index.js.map +4 -4
package/dist/src/db/jsonb.js.map +2 -2
package/dist/src/db/queries/accounts.d.ts +58 -2
package/dist/src/db/queries/integrity.d.ts +58 -2
package/dist/src/db/queries/projects.d.ts +58 -2
package/dist/src/db/queries/projects.js.map +2 -2
package/dist/src/db/queries/{marketplace.d.ts → provisioning-audit.d.ts} +79 -56
package/dist/src/db/queries/provisioning-audit.js +40 -0
package/dist/src/db/queries/provisioning-audit.js.map +10 -0
package/dist/src/db/queries/subgraph-gaps.d.ts +58 -2
package/dist/src/db/queries/subgraphs.d.ts +62 -5
package/dist/src/db/queries/subgraphs.js +3 -9
package/dist/src/db/queries/subgraphs.js.map +4 -4
package/dist/src/db/queries/tenants.d.ts +527 -0
package/dist/src/db/queries/tenants.js +220 -0
package/dist/src/db/queries/tenants.js.map +11 -0
package/dist/src/db/queries/usage.d.ts +58 -2
package/dist/src/db/queries/usage.js +3 -3
package/dist/src/db/queries/usage.js.map +3 -3
package/dist/src/db/queries/workflows.d.ts +58 -2
package/dist/src/db/queries/workflows.js +31 -3
package/dist/src/db/queries/workflows.js.map +4 -4
package/dist/src/db/schema.d.ts +67 -3
package/dist/src/env.d.ts +10 -0
package/dist/src/env.js +3 -1
package/dist/src/env.js.map +3 -3
package/dist/src/errors.d.ts +17 -3
package/dist/src/errors.js +34 -3
package/dist/src/errors.js.map +3 -3
package/dist/src/index.d.ts +142 -84
package/dist/src/index.js +146 -99
package/dist/src/index.js.map +8 -8
package/dist/src/logger.js +3 -1
package/dist/src/logger.js.map +3 -3
package/dist/src/mode.d.ts +29 -0
package/dist/src/mode.js +43 -0
package/dist/src/mode.js.map +10 -0
package/dist/src/node/archive-client.js +3 -1
package/dist/src/node/archive-client.js.map +3 -3
package/dist/src/node/hiro-client.js +3 -1
package/dist/src/node/hiro-client.js.map +3 -3
package/dist/src/node/local-client.d.ts +58 -2
package/dist/src/queue/listener.d.ts +11 -2
package/dist/src/queue/listener.js +11 -12
package/dist/src/queue/listener.js.map +3 -3
package/dist/src/schemas/accounts.d.ts +14 -0
package/dist/src/schemas/{marketplace.js → accounts.js} +4 -14
package/dist/src/schemas/accounts.js.map +10 -0
package/dist/src/schemas/index.d.ts +28 -77
package/dist/src/schemas/index.js +59 -69
package/dist/src/schemas/index.js.map +4 -4
package/dist/src/types.d.ts +10 -0
package/migrations/0037_nullable_api_key.ts +35 -0
package/migrations/0038_drop_workflow_tables.ts +46 -0
package/migrations/0039_tenants.ts +66 -0
package/migrations/0040_tenant_key_generations.ts +29 -0
package/migrations/0041_subgraphs_drop_api_key_id.ts +49 -0
package/migrations/0042_tenant_project_id.ts +25 -0
package/migrations/0043_tenant_usage_monthly.ts +36 -0
package/migrations/0044_provisioning_audit_log.ts +40 -0
package/package.json +15 -7
package/dist/src/db/queries/marketplace.js +0 -142
package/dist/src/db/queries/marketplace.js.map +0 -10
package/dist/src/schemas/marketplace.d.ts +0 -63
package/dist/src/schemas/marketplace.js.map +0 -10

package/dist/src/db/queries/tenants.js ADDED Viewed

@@ -0,0 +1,220 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+// src/crypto/secrets.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
+var IV_LEN = 12;
+var TAG_LEN = 16;
+function loadKey() {
+  const hex = process.env[KEY_ENV];
+  if (!hex) {
+    throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+  }
+  const key = Buffer.from(hex, "hex");
+  if (key.length !== 32) {
+    throw new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);
+  }
+  return key;
+}
+var _cachedKey = null;
+function getKey() {
+  if (!_cachedKey)
+    _cachedKey = loadKey();
+  return _cachedKey;
+}
+function encryptSecret(plaintext) {
+  const key = getKey();
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ciphertext]);
+}
+function decryptSecret(envelope) {
+  const key = getKey();
+  const iv = envelope.subarray(0, IV_LEN);
+  const tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const ciphertext = envelope.subarray(IV_LEN + TAG_LEN);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext).toString("utf8") + decipher.final("utf8");
+}
+function generateSecretsKey() {
+  return randomBytes(32).toString("hex");
+}
+// src/db/queries/tenants.ts
+import { sql } from "kysely";
+async function insertTenant(db, input) {
+  const row = {
+    account_id: input.accountId,
+    slug: input.slug,
+    status: "active",
+    plan: input.plan,
+    cpus: input.cpus,
+    memory_mb: input.memoryMb,
+    storage_limit_mb: input.storageLimitMb,
+    pg_container_id: input.pgContainerId,
+    api_container_id: input.apiContainerId,
+    processor_container_id: input.processorContainerId,
+    target_database_url_enc: encryptSecret(input.targetDatabaseUrl),
+    tenant_jwt_secret_enc: encryptSecret(input.tenantJwtSecret),
+    anon_key_enc: encryptSecret(input.anonKey),
+    service_key_enc: encryptSecret(input.serviceKey),
+    api_url_internal: input.apiUrlInternal,
+    api_url_public: input.apiUrlPublic,
+    trial_ends_at: input.trialEndsAt,
+    project_id: input.projectId ?? null
+  };
+  return db.insertInto("tenants").values(row).returningAll().executeTakeFirstOrThrow();
+}
+async function getTenantByAccount(db, accountId) {
+  const row = await db.selectFrom("tenants").selectAll().where("account_id", "=", accountId).where("status", "<>", "deleted").orderBy("created_at", "desc").executeTakeFirst();
+  return row ?? null;
+}
+async function getTenantBySlug(db, slug) {
+  const row = await db.selectFrom("tenants").selectAll().where("slug", "=", slug).executeTakeFirst();
+  return row ?? null;
+}
+async function listTenantsByStatus(db, status) {
+  return db.selectFrom("tenants").selectAll().where("status", "=", status).execute();
+}
+async function listExpiredTrials(db, now = new Date) {
+  return db.selectFrom("tenants").selectAll().where("status", "in", ["provisioning", "active"]).where("trial_ends_at", "<", now).execute();
+}
+async function listSuspendedOlderThan(db, olderThan) {
+  return db.selectFrom("tenants").selectAll().where("status", "=", "suspended").where("suspended_at", "<", olderThan).execute();
+}
+async function setTenantStatus(db, slug, status) {
+  const patch = {
+    status,
+    updated_at: new Date
+  };
+  if (status === "suspended")
+    patch.suspended_at = new Date;
+  if (status === "active")
+    patch.suspended_at = null;
+  await db.updateTable("tenants").set(patch).where("slug", "=", slug).execute();
+}
+async function recordHealthCheck(db, slug, storageUsedMb) {
+  await db.updateTable("tenants").set({
+    last_health_check_at: new Date,
+    storage_used_mb: storageUsedMb,
+    updated_at: new Date
+  }).where("slug", "=", slug).execute();
+}
+async function recordMonthlyUsage(db, tenantId, storageMb) {
+  const now = new Date;
+  const periodMonth = new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), 1));
+  await sql`
+		INSERT INTO tenant_usage_monthly (
+			tenant_id, period_month,
+			storage_peak_mb, storage_avg_mb, storage_last_mb,
+			measurements, first_at, last_at
+		) VALUES (
+			${tenantId}, ${periodMonth},
+			${storageMb}, ${storageMb}, ${storageMb},
+			1, now(), now()
+		)
+		ON CONFLICT (tenant_id, period_month) DO UPDATE SET
+			storage_peak_mb = GREATEST(tenant_usage_monthly.storage_peak_mb, EXCLUDED.storage_last_mb),
+			storage_avg_mb = (
+				(tenant_usage_monthly.storage_avg_mb * tenant_usage_monthly.measurements + EXCLUDED.storage_last_mb)
+				/ (tenant_usage_monthly.measurements + 1)
+			),
+			storage_last_mb = EXCLUDED.storage_last_mb,
+			measurements = tenant_usage_monthly.measurements + 1,
+			last_at = now()
+	`.execute(db);
+}
+async function updateTenantPlan(db, slug, plan, cpus, memoryMb, storageLimitMb) {
+  await db.updateTable("tenants").set({
+    plan,
+    cpus,
+    memory_mb: memoryMb,
+    storage_limit_mb: storageLimitMb,
+    updated_at: new Date
+  }).where("slug", "=", slug).execute();
+}
+async function bumpTenantKeyGen(db, slug, type) {
+  const bumpService = type === "service" || type === "both";
+  const bumpAnon = type === "anon" || type === "both";
+  const row = await db.updateTable("tenants").set((eb) => ({
+    service_gen: bumpService ? eb("service_gen", "+", 1) : eb.ref("service_gen"),
+    anon_gen: bumpAnon ? eb("anon_gen", "+", 1) : eb.ref("anon_gen"),
+    updated_at: new Date
+  })).where("slug", "=", slug).returning(["service_gen", "anon_gen"]).executeTakeFirstOrThrow();
+  return { serviceGen: row.service_gen, anonGen: row.anon_gen };
+}
+async function updateTenantKeys(db, slug, keys) {
+  const patch = { updated_at: new Date };
+  if (keys.serviceKey)
+    patch.service_key_enc = encryptSecret(keys.serviceKey);
+  if (keys.anonKey)
+    patch.anon_key_enc = encryptSecret(keys.anonKey);
+  if (Object.keys(patch).length === 1)
+    return;
+  await db.updateTable("tenants").set(patch).where("slug", "=", slug).execute();
+}
+async function deleteTenant(db, slug) {
+  const res = await db.deleteFrom("tenants").where("slug", "=", slug).executeTakeFirst();
+  return (res.numDeletedRows ?? 0n) > 0n;
+}
+async function getTenantCredentials(db, slug) {
+  const row = await db.selectFrom("tenants").select([
+    "slug",
+    "target_database_url_enc",
+    "tenant_jwt_secret_enc",
+    "anon_key_enc",
+    "service_key_enc",
+    "api_url_internal",
+    "api_url_public"
+  ]).where("slug", "=", slug).executeTakeFirst();
+  if (!row)
+    return null;
+  return {
+    slug: row.slug,
+    targetDatabaseUrl: decryptSecret(row.target_database_url_enc),
+    tenantJwtSecret: decryptSecret(row.tenant_jwt_secret_enc),
+    anonKey: decryptSecret(row.anon_key_enc),
+    serviceKey: decryptSecret(row.service_key_enc),
+    apiUrlInternal: row.api_url_internal,
+    apiUrlPublic: row.api_url_public
+  };
+}
+export {
+  updateTenantPlan,
+  updateTenantKeys,
+  setTenantStatus,
+  recordMonthlyUsage,
+  recordHealthCheck,
+  listTenantsByStatus,
+  listSuspendedOlderThan,
+  listExpiredTrials,
+  insertTenant,
+  getTenantCredentials,
+  getTenantBySlug,
+  getTenantByAccount,
+  deleteTenant,
+  bumpTenantKeyGen
+};
+//# debugId=06506A808C9D324064756E2164756E21
+//# sourceMappingURL=tenants.js.map

package/dist/src/db/queries/tenants.js.map ADDED Viewed

@@ -0,0 +1,11 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/secrets.ts", "../src/db/queries/tenants.ts"],
+  "sourcesContent": [
+    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\n/**\n * AES-256-GCM symmetric envelope for workflow signer secrets.\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. Callers must\n * load + cache the key once per process. Rotation strategy: when a customer\n * wants to rotate keys, re-encrypt all rows with the new key and swap the\n * env var. Not zero-downtime, but acceptable at v2 scale.\n *\n * For real KMS (AWS KMS, HashiCorp Vault, GCP KMS), wrap the same byte\n * layout behind an `EncryptSecret` / `DecryptSecret` interface in the\n * runner and swap the implementation at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction loadKey(): Buffer {\n\tconst hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tthrow new Error(\n\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t);\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n",
+    "import { type Kysely, sql } from \"kysely\";\nimport { decryptSecret, encryptSecret } from \"../../crypto/secrets.ts\";\nimport type { Database, InsertTenant, Tenant, TenantStatus } from \"../types.ts\";\n\n/**\n * Tenant registry queries. Encrypted columns are stored as `bytea` and\n * transparently encrypted/decrypted via `encryptSecret`/`decryptSecret`.\n *\n * Never return decrypted values from listTenants — only `getTenantCredentials`\n * surfaces plaintext, and only when explicitly called by a caller that\n * needs to hand creds to a CLI or dashboard session.\n */\n\nexport interface NewTenantInput {\n\taccountId: string;\n\tslug: string;\n\tplan: string;\n\tcpus: number;\n\tmemoryMb: number;\n\tstorageLimitMb: number;\n\tpgContainerId: string;\n\tapiContainerId: string;\n\tprocessorContainerId: string;\n\ttargetDatabaseUrl: string;\n\ttenantJwtSecret: string;\n\tanonKey: string;\n\tserviceKey: string;\n\tapiUrlInternal: string;\n\tapiUrlPublic: string;\n\ttrialEndsAt: Date;\n\tprojectId?: string;\n}\n\nexport async function insertTenant(\n\tdb: Kysely<Database>,\n\tinput: NewTenantInput,\n): Promise<Tenant> {\n\tconst row: InsertTenant = {\n\t\taccount_id: input.accountId,\n\t\tslug: input.slug,\n\t\tstatus: \"active\",\n\t\tplan: input.plan,\n\t\tcpus: input.cpus,\n\t\tmemory_mb: input.memoryMb,\n\t\tstorage_limit_mb: input.storageLimitMb,\n\t\tpg_container_id: input.pgContainerId,\n\t\tapi_container_id: input.apiContainerId,\n\t\tprocessor_container_id: input.processorContainerId,\n\t\ttarget_database_url_enc: encryptSecret(input.targetDatabaseUrl),\n\t\ttenant_jwt_secret_enc: encryptSecret(input.tenantJwtSecret),\n\t\tanon_key_enc: encryptSecret(input.anonKey),\n\t\tservice_key_enc: encryptSecret(input.serviceKey),\n\t\tapi_url_internal: input.apiUrlInternal,\n\t\tapi_url_public: input.apiUrlPublic,\n\t\ttrial_ends_at: input.trialEndsAt,\n\t\tproject_id: input.projectId ?? null,\n\t};\n\treturn db\n\t\t.insertInto(\"tenants\")\n\t\t.values(row)\n\t\t.returningAll()\n\t\t.executeTakeFirstOrThrow();\n}\n\nexport async function getTenantByAccount(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<Tenant | null> {\n\tconst row = await db\n\t\t.selectFrom(\"tenants\")\n\t\t.selectAll()\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"status\", \"<>\", \"deleted\")\n\t\t.orderBy(\"created_at\", \"desc\")\n\t\t.executeTakeFirst();\n\treturn row ?? null;\n}\n\nexport async function getTenantBySlug(\n\tdb: Kysely<Database>,\n\tslug: string,\n): Promise<Tenant | null> {\n\tconst row = await db\n\t\t.selectFrom(\"tenants\")\n\t\t.selectAll()\n\t\t.where(\"slug\", \"=\", slug)\n\t\t.executeTakeFirst();\n\treturn row ?? null;\n}\n\nexport async function listTenantsByStatus(\n\tdb: Kysely<Database>,\n\tstatus: TenantStatus,\n): Promise<Tenant[]> {\n\treturn db\n\t\t.selectFrom(\"tenants\")\n\t\t.selectAll()\n\t\t.where(\"status\", \"=\", status)\n\t\t.execute();\n}\n\nexport async function listExpiredTrials(\n\tdb: Kysely<Database>,\n\tnow: Date = new Date(),\n): Promise<Tenant[]> {\n\treturn db\n\t\t.selectFrom(\"tenants\")\n\t\t.selectAll()\n\t\t.where(\"status\", \"in\", [\"provisioning\", \"active\"])\n\t\t.where(\"trial_ends_at\", \"<\", now)\n\t\t.execute();\n}\n\nexport async function listSuspendedOlderThan(\n\tdb: Kysely<Database>,\n\tolderThan: Date,\n): Promise<Tenant[]> {\n\treturn db\n\t\t.selectFrom(\"tenants\")\n\t\t.selectAll()\n\t\t.where(\"status\", \"=\", \"suspended\")\n\t\t.where(\"suspended_at\", \"<\", olderThan)\n\t\t.execute();\n}\n\nexport async function setTenantStatus(\n\tdb: Kysely<Database>,\n\tslug: string,\n\tstatus: TenantStatus,\n): Promise<void> {\n\tconst patch: Record<string, unknown> = {\n\t\tstatus,\n\t\tupdated_at: new Date(),\n\t};\n\tif (status === \"suspended\") patch.suspended_at = new Date();\n\tif (status === \"active\") patch.suspended_at = null;\n\tawait db.updateTable(\"tenants\").set(patch).where(\"slug\", \"=\", slug).execute();\n}\n\nexport async function recordHealthCheck(\n\tdb: Kysely<Database>,\n\tslug: string,\n\tstorageUsedMb: number | null,\n): Promise<void> {\n\tawait db\n\t\t.updateTable(\"tenants\")\n\t\t.set({\n\t\t\tlast_health_check_at: new Date(),\n\t\t\tstorage_used_mb: storageUsedMb,\n\t\t\tupdated_at: new Date(),\n\t\t})\n\t\t.where(\"slug\", \"=\", slug)\n\t\t.execute();\n}\n\n/**\n * Record a storage measurement into the current calendar month's bucket.\n * Maintains peak, running average, and the most recent value in a single\n * upsert. Billing will consume this later; for now the table just gives\n * us evidence of usage over time.\n */\nexport async function recordMonthlyUsage(\n\tdb: Kysely<Database>,\n\ttenantId: string,\n\tstorageMb: number,\n): Promise<void> {\n\t// Bucket is the first day of the current month (UTC), so the unique\n\t// (tenant_id, period_month) constraint groups all samples cleanly.\n\tconst now = new Date();\n\tconst periodMonth = new Date(\n\t\tDate.UTC(now.getUTCFullYear(), now.getUTCMonth(), 1),\n\t);\n\n\t// Running mean: avg_new = (avg_old * n + x) / (n + 1). Doing it in SQL\n\t// keeps the write atomic — no read-modify-write race between ticks.\n\tawait sql`\n\t\tINSERT INTO tenant_usage_monthly (\n\t\t\ttenant_id, period_month,\n\t\t\tstorage_peak_mb, storage_avg_mb, storage_last_mb,\n\t\t\tmeasurements, first_at, last_at\n\t\t) VALUES (\n\t\t\t${tenantId}, ${periodMonth},\n\t\t\t${storageMb}, ${storageMb}, ${storageMb},\n\t\t\t1, now(), now()\n\t\t)\n\t\tON CONFLICT (tenant_id, period_month) DO UPDATE SET\n\t\t\tstorage_peak_mb = GREATEST(tenant_usage_monthly.storage_peak_mb, EXCLUDED.storage_last_mb),\n\t\t\tstorage_avg_mb = (\n\t\t\t\t(tenant_usage_monthly.storage_avg_mb * tenant_usage_monthly.measurements + EXCLUDED.storage_last_mb)\n\t\t\t\t/ (tenant_usage_monthly.measurements + 1)\n\t\t\t),\n\t\t\tstorage_last_mb = EXCLUDED.storage_last_mb,\n\t\t\tmeasurements = tenant_usage_monthly.measurements + 1,\n\t\t\tlast_at = now()\n\t`.execute(db);\n}\n\nexport async function updateTenantPlan(\n\tdb: Kysely<Database>,\n\tslug: string,\n\tplan: string,\n\tcpus: number,\n\tmemoryMb: number,\n\tstorageLimitMb: number,\n): Promise<void> {\n\tawait db\n\t\t.updateTable(\"tenants\")\n\t\t.set({\n\t\t\tplan,\n\t\t\tcpus,\n\t\t\tmemory_mb: memoryMb,\n\t\t\tstorage_limit_mb: storageLimitMb,\n\t\t\tupdated_at: new Date(),\n\t\t})\n\t\t.where(\"slug\", \"=\", slug)\n\t\t.execute();\n}\n\nexport type RotateType = \"service\" | \"anon\" | \"both\";\n\n/**\n * Bump the selected gen counter(s) by 1 and return the new values.\n * Used by the key-rotate endpoint to force the tenant API to reject\n * previously-issued tokens of the rotated role(s).\n */\nexport async function bumpTenantKeyGen(\n\tdb: Kysely<Database>,\n\tslug: string,\n\ttype: RotateType,\n): Promise<{ serviceGen: number; anonGen: number }> {\n\tconst bumpService = type === \"service\" || type === \"both\";\n\tconst bumpAnon = type === \"anon\" || type === \"both\";\n\tconst row = await db\n\t\t.updateTable(\"tenants\")\n\t\t.set((eb) => ({\n\t\t\tservice_gen: bumpService\n\t\t\t\t? eb(\"service_gen\", \"+\", 1)\n\t\t\t\t: eb.ref(\"service_gen\"),\n\t\t\tanon_gen: bumpAnon ? eb(\"anon_gen\", \"+\", 1) : eb.ref(\"anon_gen\"),\n\t\t\tupdated_at: new Date(),\n\t\t}))\n\t\t.where(\"slug\", \"=\", slug)\n\t\t.returning([\"service_gen\", \"anon_gen\"])\n\t\t.executeTakeFirstOrThrow();\n\treturn { serviceGen: row.service_gen, anonGen: row.anon_gen };\n}\n\n/**\n * Replace the encrypted key columns after a successful rotate. Only the\n * rotated column(s) are written — the other stays untouched.\n */\nexport async function updateTenantKeys(\n\tdb: Kysely<Database>,\n\tslug: string,\n\tkeys: { serviceKey?: string; anonKey?: string },\n): Promise<void> {\n\tconst patch: Record<string, unknown> = { updated_at: new Date() };\n\tif (keys.serviceKey) patch.service_key_enc = encryptSecret(keys.serviceKey);\n\tif (keys.anonKey) patch.anon_key_enc = encryptSecret(keys.anonKey);\n\tif (Object.keys(patch).length === 1) return; // only updated_at — nothing to write\n\tawait db.updateTable(\"tenants\").set(patch).where(\"slug\", \"=\", slug).execute();\n}\n\n/**\n * Hard-delete a tenant row. Call only AFTER the provisioner has torn down\n * containers + volume; otherwise orphaned resources linger. Returns whether\n * a row was actually deleted.\n */\nexport async function deleteTenant(\n\tdb: Kysely<Database>,\n\tslug: string,\n): Promise<boolean> {\n\tconst res = await db\n\t\t.deleteFrom(\"tenants\")\n\t\t.where(\"slug\", \"=\", slug)\n\t\t.executeTakeFirst();\n\treturn (res.numDeletedRows ?? 0n) > 0n;\n}\n\nexport interface TenantCredentials {\n\tslug: string;\n\ttargetDatabaseUrl: string;\n\ttenantJwtSecret: string;\n\tanonKey: string;\n\tserviceKey: string;\n\tapiUrlInternal: string;\n\tapiUrlPublic: string;\n}\n\n/**\n * Decrypts the four encrypted columns and returns them plaintext. Call\n * this only when surfacing credentials to an authorized caller (dashboard,\n * CLI). Never log the returned object.\n */\nexport async function getTenantCredentials(\n\tdb: Kysely<Database>,\n\tslug: string,\n): Promise<TenantCredentials | null> {\n\tconst row = await db\n\t\t.selectFrom(\"tenants\")\n\t\t.select([\n\t\t\t\"slug\",\n\t\t\t\"target_database_url_enc\",\n\t\t\t\"tenant_jwt_secret_enc\",\n\t\t\t\"anon_key_enc\",\n\t\t\t\"service_key_enc\",\n\t\t\t\"api_url_internal\",\n\t\t\t\"api_url_public\",\n\t\t])\n\t\t.where(\"slug\", \"=\", slug)\n\t\t.executeTakeFirst();\n\tif (!row) return null;\n\treturn {\n\t\tslug: row.slug,\n\t\ttargetDatabaseUrl: decryptSecret(row.target_database_url_enc),\n\t\ttenantJwtSecret: decryptSecret(row.tenant_jwt_secret_enc),\n\t\tanonKey: decryptSecret(row.anon_key_enc),\n\t\tserviceKey: decryptSecret(row.service_key_enc),\n\t\tapiUrlInternal: row.api_url_internal,\n\t\tapiUrlPublic: row.api_url_public,\n\t};\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAiBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,OAAO,GAAW;AAAA,EAC1B,MAAM,MAAM,QAAQ,IAAI;AAAA,EACxB,IAAI,CAAC,KAAK;AAAA,IACT,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA,EACD;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;;;ACjEtC;AAiCA,eAAsB,YAAY,CACjC,IACA,OACkB;AAAA,EAClB,MAAM,MAAoB;AAAA,IACzB,YAAY,MAAM;AAAA,IAClB,MAAM,MAAM;AAAA,IACZ,QAAQ;AAAA,IACR,MAAM,MAAM;AAAA,IACZ,MAAM,MAAM;AAAA,IACZ,WAAW,MAAM;AAAA,IACjB,kBAAkB,MAAM;AAAA,IACxB,iBAAiB,MAAM;AAAA,IACvB,kBAAkB,MAAM;AAAA,IACxB,wBAAwB,MAAM;AAAA,IAC9B,yBAAyB,cAAc,MAAM,iBAAiB;AAAA,IAC9D,uBAAuB,cAAc,MAAM,eAAe;AAAA,IAC1D,cAAc,cAAc,MAAM,OAAO;AAAA,IACzC,iBAAiB,cAAc,MAAM,UAAU;AAAA,IAC/C,kBAAkB,MAAM;AAAA,IACxB,gBAAgB,MAAM;AAAA,IACtB,eAAe,MAAM;AAAA,IACrB,YAAY,MAAM,aAAa;AAAA,EAChC;AAAA,EACA,OAAO,GACL,WAAW,SAAS,EACpB,OAAO,GAAG,EACV,aAAa,EACb,wBAAwB;AAAA;AAG3B,eAAsB,kBAAkB,CACvC,IACA,WACyB;AAAA,EACzB,MAAM,MAAM,MAAM,GAChB,WAAW,SAAS,EACpB,UAAU,EACV,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,UAAU,MAAM,SAAS,EAC/B,QAAQ,cAAc,MAAM,EAC5B,iBAAiB;AAAA,EACnB,OAAO,OAAO;AAAA;AAGf,eAAsB,eAAe,CACpC,IACA,MACyB;AAAA,EACzB,MAAM,MAAM,MAAM,GAChB,WAAW,SAAS,EACpB,UAAU,EACV,MAAM,QAAQ,KAAK,IAAI,EACvB,iBAAiB;AAAA,EACnB,OAAO,OAAO;AAAA;AAGf,eAAsB,mBAAmB,CACxC,IACA,QACoB;AAAA,EACpB,OAAO,GACL,WAAW,SAAS,EACpB,UAAU,EACV,MAAM,UAAU,KAAK,MAAM,EAC3B,QAAQ;AAAA;AAGX,eAAsB,iBAAiB,CACtC,IACA,MAAY,IAAI,MACI;AAAA,EACpB,OAAO,GACL,WAAW,SAAS,EACpB,UAAU,EACV,MAAM,UAAU,MAAM,CAAC,gBAAgB,QAAQ,CAAC,EAChD,MAAM,iBAAiB,KAAK,GAAG,EAC/B,QAAQ;AAAA;AAGX,eAAsB,sBAAsB,CAC3C,IACA,WACoB;AAAA,EACpB,OAAO,GACL,WAAW,SAAS,EACpB,UAAU,EACV,MAAM,UAAU,KAAK,WAAW,EAChC,MAAM,gBAAgB,KAAK,SAAS,EACpC,QAAQ;AAAA;AAGX,eAAsB,eAAe,CACpC,IACA,MACA,QACgB;AAAA,EAChB,MAAM,QAAiC;AAAA,IACtC;AAAA,IACA,YAAY,IAAI;AAAA,EACjB;AAAA,EACA,IAAI,WAAW;AAAA,IAAa,MAAM,eAAe,IAAI;AAAA,EACrD,IAAI,WAAW;AAAA,IAAU,MAAM,eAAe;AAAA,EAC9C,MAAM,GAAG,YAAY,SAAS,EAAE,IAAI,KAAK,EAAE,MAAM,QAAQ,KAAK,IAAI,EAAE,QAAQ;AAAA;AAG7E,eAAsB,iBAAiB,CACtC,IACA,MACA,eACgB;AAAA,EAChB,MAAM,GACJ,YAAY,SAAS,EACrB,IAAI;AAAA,IACJ,sBAAsB,IAAI;AAAA,IAC1B,iBAAiB;AAAA,IACjB,YAAY,IAAI;AAAA,EACjB,CAAC,EACA,MAAM,QAAQ,KAAK,IAAI,EACvB,QAAQ;AAAA;AASX,eAAsB,kBAAkB,CACvC,IACA,UACA,WACgB;AAAA,EAGhB,MAAM,MAAM,IAAI;AAAA,EAChB,MAAM,cAAc,IAAI,KACvB,KAAK,IAAI,IAAI,eAAe,GAAG,IAAI,YAAY,GAAG,CAAC,CACpD;AAAA,EAIA,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAMF,aAAa;AAAA,KACb,cAAc,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAY9B,QAAQ,EAAE;AAAA;AAGb,eAAsB,gBAAgB,CACrC,IACA,MACA,MACA,MACA,UACA,gBACgB;AAAA,EAChB,MAAM,GACJ,YAAY,SAAS,EACrB,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,YAAY,IAAI;AAAA,EACjB,CAAC,EACA,MAAM,QAAQ,KAAK,IAAI,EACvB,QAAQ;AAAA;AAUX,eAAsB,gBAAgB,CACrC,IACA,MACA,MACmD;AAAA,EACnD,MAAM,cAAc,SAAS,aAAa,SAAS;AAAA,EACnD,MAAM,WAAW,SAAS,UAAU,SAAS;AAAA,EAC7C,MAAM,MAAM,MAAM,GAChB,YAAY,SAAS,EACrB,IAAI,CAAC,QAAQ;AAAA,IACb,aAAa,cACV,GAAG,eAAe,KAAK,CAAC,IACxB,GAAG,IAAI,aAAa;AAAA,IACvB,UAAU,WAAW,GAAG,YAAY,KAAK,CAAC,IAAI,GAAG,IAAI,UAAU;AAAA,IAC/D,YAAY,IAAI;AAAA,EACjB,EAAE,EACD,MAAM,QAAQ,KAAK,IAAI,EACvB,UAAU,CAAC,eAAe,UAAU,CAAC,EACrC,wBAAwB;AAAA,EAC1B,OAAO,EAAE,YAAY,IAAI,aAAa,SAAS,IAAI,SAAS;AAAA;AAO7D,eAAsB,gBAAgB,CACrC,IACA,MACA,MACgB;AAAA,EAChB,MAAM,QAAiC,EAAE,YAAY,IAAI,KAAO;AAAA,EAChE,IAAI,KAAK;AAAA,IAAY,MAAM,kBAAkB,cAAc,KAAK,UAAU;AAAA,EAC1E,IAAI,KAAK;AAAA,IAAS,MAAM,eAAe,cAAc,KAAK,OAAO;AAAA,EACjE,IAAI,OAAO,KAAK,KAAK,EAAE,WAAW;AAAA,IAAG;AAAA,EACrC,MAAM,GAAG,YAAY,SAAS,EAAE,IAAI,KAAK,EAAE,MAAM,QAAQ,KAAK,IAAI,EAAE,QAAQ;AAAA;AAQ7E,eAAsB,YAAY,CACjC,IACA,MACmB;AAAA,EACnB,MAAM,MAAM,MAAM,GAChB,WAAW,SAAS,EACpB,MAAM,QAAQ,KAAK,IAAI,EACvB,iBAAiB;AAAA,EACnB,QAAQ,IAAI,kBAAkB,MAAM;AAAA;AAkBrC,eAAsB,oBAAoB,CACzC,IACA,MACoC;AAAA,EACpC,MAAM,MAAM,MAAM,GAChB,WAAW,SAAS,EACpB,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD,CAAC,EACA,MAAM,QAAQ,KAAK,IAAI,EACvB,iBAAiB;AAAA,EACnB,IAAI,CAAC;AAAA,IAAK,OAAO;AAAA,EACjB,OAAO;AAAA,IACN,MAAM,IAAI;AAAA,IACV,mBAAmB,cAAc,IAAI,uBAAuB;AAAA,IAC5D,iBAAiB,cAAc,IAAI,qBAAqB;AAAA,IACxD,SAAS,cAAc,IAAI,YAAY;AAAA,IACvC,YAAY,cAAc,IAAI,eAAe;AAAA,IAC7C,gBAAgB,IAAI;AAAA,IACpB,cAAc,IAAI;AAAA,EACnB;AAAA;",
+  "debugId": "06506A808C9D324064756E2164756E21",
+  "names": []
+}

package/dist/src/db/queries/usage.d.ts CHANGED Viewed

@@ -6,7 +6,7 @@ interface PlanLimits {
 }
 declare function getPlanLimits(plan: string): PlanLimits;
 import { Kysely } from "kysely";
-import { Generated } from "kysely";
+import { ColumnType, Generated } from "kysely";
 interface BlocksTable {
 	height: number;
 	hash: string;
@@ -63,7 +63,6 @@ interface SubgraphsTable {
 	last_error_at: Date | null;
 	total_processed: Generated<number>;
 	total_errors: Generated<number>;
-	api_key_id: string | null;
 	account_id: string;
 	handler_code: string | null;
 	source_code: string | null;
@@ -367,6 +366,63 @@ interface Database {
 	workflow_cursors: WorkflowCursorsTable;
 	workflow_signer_secrets: WorkflowSignerSecretsTable;
 	workflow_budgets: WorkflowBudgetsTable;
+	tenants: TenantsTable;
+	tenant_usage_monthly: TenantUsageMonthlyTable;
+	provisioning_audit_log: ProvisioningAuditLogTable;
+}
+type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
+interface TenantsTable {
+	id: Generated<string>;
+	account_id: string;
+	slug: string;
+	status: ColumnType<TenantStatus, TenantStatus | undefined, TenantStatus>;
+	plan: string;
+	cpus: ColumnType<number, number | string, number | string>;
+	memory_mb: number;
+	storage_limit_mb: number;
+	storage_used_mb: number | null;
+	pg_container_id: string | null;
+	api_container_id: string | null;
+	processor_container_id: string | null;
+	target_database_url_enc: Buffer;
+	tenant_jwt_secret_enc: Buffer;
+	anon_key_enc: Buffer;
+	service_key_enc: Buffer;
+	api_url_internal: string;
+	api_url_public: string;
+	trial_ends_at: Date;
+	suspended_at: Date | null;
+	last_health_check_at: Date | null;
+	service_gen: Generated<number>;
+	anon_gen: Generated<number>;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface TenantUsageMonthlyTable {
+	id: Generated<string>;
+	tenant_id: string;
+	period_month: Date;
+	storage_peak_mb: Generated<number>;
+	storage_avg_mb: Generated<number>;
+	storage_last_mb: Generated<number>;
+	measurements: Generated<number>;
+	first_at: Generated<Date>;
+	last_at: Generated<Date>;
+}
+type ProvisioningAuditEvent = "provision.start" | "provision.success" | "provision.failure" | "suspend" | "resume" | "resize" | "keys.rotate" | "bastion.key.upload" | "bastion.key.revoke" | "teardown";
+type ProvisioningAuditStatus = "ok" | "error";
+interface ProvisioningAuditLogTable {
+	id: Generated<string>;
+	tenant_id: string | null;
+	tenant_slug: string | null;
+	account_id: string | null;
+	actor: string;
+	event: ProvisioningAuditEvent;
+	status: ProvisioningAuditStatus;
+	detail: unknown | null;
+	error: string | null;
+	created_at: Generated<Date>;
 }
 interface WorkflowBudgetsTable {
 	id: Generated<string>;

package/dist/src/db/queries/usage.js CHANGED Viewed

@@ -78,7 +78,7 @@ async function getDailyUsage(db, accountId) {
 async function checkLimits(db, accountId, plan) {
   const limits = getPlanLimits(plan);
   const usage = await getUsage(db, accountId);
-  const subgraphCount = await db.selectFrom("subgraphs").innerJoin("api_keys", "subgraphs.api_key_id", "api_keys.id").select(sql`count(*)`.as("count")).where("api_keys.account_id", "=", accountId).executeTakeFirst();
+  const subgraphCount = await db.selectFrom("subgraphs").select(sql`count(*)`.as("count")).where("account_id", "=", accountId).executeTakeFirst();
   const current = {
     ...usage,
     subgraphs: Number(subgraphCount?.count ?? 0)
@@ -98,7 +98,7 @@ async function checkLimits(db, accountId, plan) {
   return { allowed: true, limits, current };
 }
 async function measureStorage(db) {
-  const accountSubgraphs = await db.selectFrom("subgraphs").innerJoin("api_keys", "subgraphs.api_key_id", "api_keys.id").select(["api_keys.account_id", "subgraphs.schema_name"]).where("subgraphs.schema_name", "is not", null).execute();
+  const accountSubgraphs = await db.selectFrom("subgraphs").select(["account_id", "schema_name"]).where("schema_name", "is not", null).execute();
   const byAccount = new Map;
   for (const row of accountSubgraphs) {
     const schemas = byAccount.get(row.account_id) ?? [];
@@ -131,5 +131,5 @@ export {
   checkLimits
 };
-//# debugId=0844CA82D7046A1564756E2164756E21
+//# debugId=7A7AEE74ECF0C63664756E2164756E21
 //# sourceMappingURL=usage.js.map

package/dist/src/db/queries/usage.js.map CHANGED Viewed

@@ -3,9 +3,9 @@
   "sources": ["../src/lib/plans.ts", "../src/db/queries/usage.ts"],
   "sourcesContent": [
     "export interface PlanLimits {\n\tsubgraphs: number;\n\tapiRequestsPerDay: number;\n\tdeliveriesPerMonth: number;\n\tstorageBytes: number;\n}\n\nexport const FREE_PLAN: PlanLimits = {\n\tsubgraphs: 2,\n\tapiRequestsPerDay: 1_000,\n\tdeliveriesPerMonth: 5_000,\n\tstorageBytes: 100 * 1024 * 1024,\n};\n\nexport function getPlanLimits(plan: string): PlanLimits {\n\tswitch (plan) {\n\t\tcase \"free\":\n\t\tdefault:\n\t\t\treturn FREE_PLAN;\n\t}\n}\n",
-    "import { type Kysely, sql } from \"kysely\";\nimport { getPlanLimits } from \"../../lib/plans.ts\";\nimport type { Database } from \"../types.ts\";\n\n/** Increment API request counter for today. Fire-and-forget safe. */\nexport async function incrementApiRequests(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<void> {\n\tconst today = new Date().toISOString().slice(0, 10);\n\tawait db\n\t\t.insertInto(\"usage_daily\")\n\t\t.values({\n\t\t\taccount_id: accountId,\n\t\t\tdate: today,\n\t\t\tapi_requests: 1,\n\t\t\tdeliveries: 0,\n\t\t})\n\t\t.onConflict((oc) =>\n\t\t\toc.columns([\"account_id\", \"date\"]).doUpdateSet({\n\t\t\t\tapi_requests: sql`usage_daily.api_requests + 1`,\n\t\t\t}),\n\t\t)\n\t\t.execute();\n}\n\nexport interface UsageSummary {\n\tapiRequestsToday: number;\n\tdeliveriesThisMonth: number;\n\tstorageBytes: number;\n}\n\n/** Get current usage for an account. */\nexport async function getUsage(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<UsageSummary> {\n\tconst today = new Date().toISOString().slice(0, 10);\n\tconst monthStart = today.slice(0, 7) + \"-01\"; // YYYY-MM-01\n\n\t// Today's API requests\n\tconst dailyRow = await db\n\t\t.selectFrom(\"usage_daily\")\n\t\t.select(\"api_requests\")\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"date\", \"=\", today)\n\t\t.executeTakeFirst();\n\n\t// This month's deliveries\n\tconst monthlyRow = await db\n\t\t.selectFrom(\"usage_daily\")\n\t\t.select(sql<number>`COALESCE(SUM(deliveries), 0)`.as(\"total\"))\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"date\", \">=\", monthStart)\n\t\t.executeTakeFirst();\n\n\t// Latest storage snapshot\n\tconst storageRow = await db\n\t\t.selectFrom(\"usage_snapshots\")\n\t\t.select(\"storage_bytes\")\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.orderBy(\"measured_at\", \"desc\")\n\t\t.limit(1)\n\t\t.executeTakeFirst();\n\n\treturn {\n\t\tapiRequestsToday: dailyRow?.api_requests ?? 0,\n\t\tdeliveriesThisMonth: Number(monthlyRow?.total ?? 0),\n\t\tstorageBytes: Number(storageRow?.storage_bytes ?? 0),\n\t};\n}\n\nexport interface DailyUsage {\n\tdate: string;\n\tapiRequests: number;\n\tdeliveries: number;\n}\n\n/** Get last 7 days of daily usage, filling missing days with 0. */\nexport async function getDailyUsage(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<DailyUsage[]> {\n\tconst rows = await db\n\t\t.selectFrom(\"usage_daily\")\n\t\t.select([\"date\", \"api_requests\", \"deliveries\"])\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"date\", \">=\", sql<string>`NOW()::date - 6`)\n\t\t.orderBy(\"date\", \"asc\")\n\t\t.execute();\n\n\t// Fill missing days with 0 (normalize date to YYYY-MM-DD string)\n\tconst byDate = new Map(\n\t\trows.map((r) => {\n\t\t\tconst d = r.date as unknown;\n\t\t\tconst key =\n\t\t\t\td instanceof Date\n\t\t\t\t\t? d.toISOString().slice(0, 10)\n\t\t\t\t\t: String(d).slice(0, 10);\n\t\t\treturn [key, r];\n\t\t}),\n\t);\n\tconst result: DailyUsage[] = [];\n\tfor (let i = 6; i >= 0; i--) {\n\t\tconst d = new Date();\n\t\td.setDate(d.getDate() - i);\n\t\tconst dateStr = d.toISOString().slice(0, 10);\n\t\tconst row = byDate.get(dateStr);\n\t\tresult.push({\n\t\t\tdate: dateStr,\n\t\t\tapiRequests: row?.api_requests ?? 0,\n\t\t\tdeliveries: row?.deliveries ?? 0,\n\t\t});\n\t}\n\treturn result;\n}\n\nexport interface LimitCheck {\n\tallowed: boolean;\n\tlimits: ReturnType<typeof getPlanLimits>;\n\tcurrent: UsageSummary & { subgraphs: number };\n\texceeded?: string;\n}\n\n/** Check if an account is within plan limits. */\nexport async function checkLimits(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tplan: string,\n): Promise<LimitCheck> {\n\tconst limits = getPlanLimits(plan);\n\tconst usage = await getUsage(db, accountId);\n\n\tconst subgraphCount = await db\n\t\t.selectFrom(\"subgraphs\")\n\t\t.innerJoin(\"api_keys\", \"subgraphs.api_key_id\", \"api_keys.id\")\n\t\t.select(sql<number>`count(*)`.as(\"count\"))\n\t\t.where(\"api_keys.account_id\", \"=\", accountId)\n\t\t.executeTakeFirst();\n\n\tconst current = {\n\t\t...usage,\n\t\tsubgraphs: Number(subgraphCount?.count ?? 0),\n\t};\n\n\tif (current.subgraphs >= limits.subgraphs) {\n\t\treturn { allowed: false, limits, current, exceeded: \"subgraphs\" };\n\t}\n\tif (current.apiRequestsToday >= limits.apiRequestsPerDay) {\n\t\treturn { allowed: false, limits, current, exceeded: \"api_requests\" };\n\t}\n\tif (current.deliveriesThisMonth >= limits.deliveriesPerMonth) {\n\t\treturn { allowed: false, limits, current, exceeded: \"deliveries\" };\n\t}\n\tif (current.storageBytes >= limits.storageBytes) {\n\t\treturn { allowed: false, limits, current, exceeded: \"storage\" };\n\t}\n\n\treturn { allowed: true, limits, current };\n}\n\n/**\n * Measure storage for all accounts by querying pg_total_relation_size\n * for each tenant's subgraph schemas.\n */\nexport async function measureStorage(db: Kysely<Database>): Promise<void> {\n\t// Get all accounts with subgraphs\n\tconst accountSubgraphs = await db\n\t\t.selectFrom(\"subgraphs\")\n\t\t.innerJoin(\"api_keys\", \"subgraphs.api_key_id\", \"api_keys.id\")\n\t\t.select([\"api_keys.account_id\", \"subgraphs.schema_name\"])\n\t\t.where(\"subgraphs.schema_name\", \"is not\", null)\n\t\t.execute();\n\n\t// Group schemas by account\n\tconst byAccount = new Map<string, string[]>();\n\tfor (const row of accountSubgraphs) {\n\t\tconst schemas = byAccount.get(row.account_id) ?? [];\n\t\tif (row.schema_name) schemas.push(row.schema_name);\n\t\tbyAccount.set(row.account_id, schemas);\n\t}\n\n\tfor (const [accountId, schemas] of byAccount) {\n\t\tlet totalBytes = 0;\n\t\tfor (const schema of schemas) {\n\t\t\ttry {\n\t\t\t\tconst result = await sql<{ size: string }>`\n          SELECT COALESCE(SUM(pg_total_relation_size(quote_ident(schemaname) || '.' || quote_ident(tablename))), 0)::text as size\n          FROM pg_tables WHERE schemaname = ${schema}\n        `.execute(db);\n\t\t\t\ttotalBytes += Number((result.rows[0] as any)?.size ?? 0);\n\t\t\t} catch {\n\t\t\t\t// Schema may not exist\n\t\t\t}\n\t\t}\n\n\t\tawait db\n\t\t\t.insertInto(\"usage_snapshots\")\n\t\t\t.values({\n\t\t\t\taccount_id: accountId,\n\t\t\t\tstorage_bytes: totalBytes,\n\t\t\t})\n\t\t\t.execute();\n\t}\n}\n"
+    "import { type Kysely, sql } from \"kysely\";\nimport { getPlanLimits } from \"../../lib/plans.ts\";\nimport type { Database } from \"../types.ts\";\n\n/** Increment API request counter for today. Fire-and-forget safe. */\nexport async function incrementApiRequests(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<void> {\n\tconst today = new Date().toISOString().slice(0, 10);\n\tawait db\n\t\t.insertInto(\"usage_daily\")\n\t\t.values({\n\t\t\taccount_id: accountId,\n\t\t\tdate: today,\n\t\t\tapi_requests: 1,\n\t\t\tdeliveries: 0,\n\t\t})\n\t\t.onConflict((oc) =>\n\t\t\toc.columns([\"account_id\", \"date\"]).doUpdateSet({\n\t\t\t\tapi_requests: sql`usage_daily.api_requests + 1`,\n\t\t\t}),\n\t\t)\n\t\t.execute();\n}\n\nexport interface UsageSummary {\n\tapiRequestsToday: number;\n\tdeliveriesThisMonth: number;\n\tstorageBytes: number;\n}\n\n/** Get current usage for an account. */\nexport async function getUsage(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<UsageSummary> {\n\tconst today = new Date().toISOString().slice(0, 10);\n\tconst monthStart = today.slice(0, 7) + \"-01\"; // YYYY-MM-01\n\n\t// Today's API requests\n\tconst dailyRow = await db\n\t\t.selectFrom(\"usage_daily\")\n\t\t.select(\"api_requests\")\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"date\", \"=\", today)\n\t\t.executeTakeFirst();\n\n\t// This month's deliveries\n\tconst monthlyRow = await db\n\t\t.selectFrom(\"usage_daily\")\n\t\t.select(sql<number>`COALESCE(SUM(deliveries), 0)`.as(\"total\"))\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"date\", \">=\", monthStart)\n\t\t.executeTakeFirst();\n\n\t// Latest storage snapshot\n\tconst storageRow = await db\n\t\t.selectFrom(\"usage_snapshots\")\n\t\t.select(\"storage_bytes\")\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.orderBy(\"measured_at\", \"desc\")\n\t\t.limit(1)\n\t\t.executeTakeFirst();\n\n\treturn {\n\t\tapiRequestsToday: dailyRow?.api_requests ?? 0,\n\t\tdeliveriesThisMonth: Number(monthlyRow?.total ?? 0),\n\t\tstorageBytes: Number(storageRow?.storage_bytes ?? 0),\n\t};\n}\n\nexport interface DailyUsage {\n\tdate: string;\n\tapiRequests: number;\n\tdeliveries: number;\n}\n\n/** Get last 7 days of daily usage, filling missing days with 0. */\nexport async function getDailyUsage(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<DailyUsage[]> {\n\tconst rows = await db\n\t\t.selectFrom(\"usage_daily\")\n\t\t.select([\"date\", \"api_requests\", \"deliveries\"])\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"date\", \">=\", sql<string>`NOW()::date - 6`)\n\t\t.orderBy(\"date\", \"asc\")\n\t\t.execute();\n\n\t// Fill missing days with 0 (normalize date to YYYY-MM-DD string)\n\tconst byDate = new Map(\n\t\trows.map((r) => {\n\t\t\tconst d = r.date as unknown;\n\t\t\tconst key =\n\t\t\t\td instanceof Date\n\t\t\t\t\t? d.toISOString().slice(0, 10)\n\t\t\t\t\t: String(d).slice(0, 10);\n\t\t\treturn [key, r];\n\t\t}),\n\t);\n\tconst result: DailyUsage[] = [];\n\tfor (let i = 6; i >= 0; i--) {\n\t\tconst d = new Date();\n\t\td.setDate(d.getDate() - i);\n\t\tconst dateStr = d.toISOString().slice(0, 10);\n\t\tconst row = byDate.get(dateStr);\n\t\tresult.push({\n\t\t\tdate: dateStr,\n\t\t\tapiRequests: row?.api_requests ?? 0,\n\t\t\tdeliveries: row?.deliveries ?? 0,\n\t\t});\n\t}\n\treturn result;\n}\n\nexport interface LimitCheck {\n\tallowed: boolean;\n\tlimits: ReturnType<typeof getPlanLimits>;\n\tcurrent: UsageSummary & { subgraphs: number };\n\texceeded?: string;\n}\n\n/** Check if an account is within plan limits. */\nexport async function checkLimits(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tplan: string,\n): Promise<LimitCheck> {\n\tconst limits = getPlanLimits(plan);\n\tconst usage = await getUsage(db, accountId);\n\n\tconst subgraphCount = await db\n\t\t.selectFrom(\"subgraphs\")\n\t\t.select(sql<number>`count(*)`.as(\"count\"))\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.executeTakeFirst();\n\n\tconst current = {\n\t\t...usage,\n\t\tsubgraphs: Number(subgraphCount?.count ?? 0),\n\t};\n\n\tif (current.subgraphs >= limits.subgraphs) {\n\t\treturn { allowed: false, limits, current, exceeded: \"subgraphs\" };\n\t}\n\tif (current.apiRequestsToday >= limits.apiRequestsPerDay) {\n\t\treturn { allowed: false, limits, current, exceeded: \"api_requests\" };\n\t}\n\tif (current.deliveriesThisMonth >= limits.deliveriesPerMonth) {\n\t\treturn { allowed: false, limits, current, exceeded: \"deliveries\" };\n\t}\n\tif (current.storageBytes >= limits.storageBytes) {\n\t\treturn { allowed: false, limits, current, exceeded: \"storage\" };\n\t}\n\n\treturn { allowed: true, limits, current };\n}\n\n/**\n * Measure storage for all accounts by querying pg_total_relation_size\n * for each tenant's subgraph schemas.\n */\nexport async function measureStorage(db: Kysely<Database>): Promise<void> {\n\t// Get all accounts with subgraphs\n\tconst accountSubgraphs = await db\n\t\t.selectFrom(\"subgraphs\")\n\t\t.select([\"account_id\", \"schema_name\"])\n\t\t.where(\"schema_name\", \"is not\", null)\n\t\t.execute();\n\n\t// Group schemas by account\n\tconst byAccount = new Map<string, string[]>();\n\tfor (const row of accountSubgraphs) {\n\t\tconst schemas = byAccount.get(row.account_id) ?? [];\n\t\tif (row.schema_name) schemas.push(row.schema_name);\n\t\tbyAccount.set(row.account_id, schemas);\n\t}\n\n\tfor (const [accountId, schemas] of byAccount) {\n\t\tlet totalBytes = 0;\n\t\tfor (const schema of schemas) {\n\t\t\ttry {\n\t\t\t\tconst result = await sql<{ size: string }>`\n          SELECT COALESCE(SUM(pg_total_relation_size(quote_ident(schemaname) || '.' || quote_ident(tablename))), 0)::text as size\n          FROM pg_tables WHERE schemaname = ${schema}\n        `.execute(db);\n\t\t\t\ttotalBytes += Number((result.rows[0] as any)?.size ?? 0);\n\t\t\t} catch {\n\t\t\t\t// Schema may not exist\n\t\t\t}\n\t\t}\n\n\t\tawait db\n\t\t\t.insertInto(\"usage_snapshots\")\n\t\t\t.values({\n\t\t\t\taccount_id: accountId,\n\t\t\t\tstorage_bytes: totalBytes,\n\t\t\t})\n\t\t\t.execute();\n\t}\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAOO,IAAM,YAAwB;AAAA,EACpC,WAAW;AAAA,EACX,mBAAmB;AAAA,EACnB,oBAAoB;AAAA,EACpB,cAAc,MAAM,OAAO;AAC5B;AAEO,SAAS,aAAa,CAAC,MAA0B;AAAA,EACvD,QAAQ;AAAA,SACF;AAAA;AAAA,MAEJ,OAAO;AAAA;AAAA;;;AClBV;AAKA,eAAsB,oBAAoB,CACzC,IACA,WACgB;AAAA,EAChB,MAAM,QAAQ,IAAI,KAAK,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAAA,EAClD,MAAM,GACJ,WAAW,aAAa,EACxB,OAAO;AAAA,IACP,YAAY;AAAA,IACZ,MAAM;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,EACb,CAAC,EACA,WAAW,CAAC,OACZ,GAAG,QAAQ,CAAC,cAAc,MAAM,CAAC,EAAE,YAAY;AAAA,IAC9C,cAAc;AAAA,EACf,CAAC,CACF,EACC,QAAQ;AAAA;AAUX,eAAsB,QAAQ,CAC7B,IACA,WACwB;AAAA,EACxB,MAAM,QAAQ,IAAI,KAAK,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAAA,EAClD,MAAM,aAAa,MAAM,MAAM,GAAG,CAAC,IAAI;AAAA,EAGvC,MAAM,WAAW,MAAM,GACrB,WAAW,aAAa,EACxB,OAAO,cAAc,EACrB,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,KAAK,KAAK,EACxB,iBAAiB;AAAA,EAGnB,MAAM,aAAa,MAAM,GACvB,WAAW,aAAa,EACxB,OAAO,kCAA0C,GAAG,OAAO,CAAC,EAC5D,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,MAAM,UAAU,EAC9B,iBAAiB;AAAA,EAGnB,MAAM,aAAa,MAAM,GACvB,WAAW,iBAAiB,EAC5B,OAAO,eAAe,EACtB,MAAM,cAAc,KAAK,SAAS,EAClC,QAAQ,eAAe,MAAM,EAC7B,MAAM,CAAC,EACP,iBAAiB;AAAA,EAEnB,OAAO;AAAA,IACN,kBAAkB,UAAU,gBAAgB;AAAA,IAC5C,qBAAqB,OAAO,YAAY,SAAS,CAAC;AAAA,IAClD,cAAc,OAAO,YAAY,iBAAiB,CAAC;AAAA,EACpD;AAAA;AAUD,eAAsB,aAAa,CAClC,IACA,WACwB;AAAA,EACxB,MAAM,OAAO,MAAM,GACjB,WAAW,aAAa,EACxB,OAAO,CAAC,QAAQ,gBAAgB,YAAY,CAAC,EAC7C,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,MAAM,oBAA4B,EAChD,QAAQ,QAAQ,KAAK,EACrB,QAAQ;AAAA,EAGV,MAAM,SAAS,IAAI,IAClB,KAAK,IAAI,CAAC,MAAM;AAAA,IACf,MAAM,IAAI,EAAE;AAAA,IACZ,MAAM,MACL,aAAa,OACV,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE,IAC3B,OAAO,CAAC,EAAE,MAAM,GAAG,EAAE;AAAA,IACzB,OAAO,CAAC,KAAK,CAAC;AAAA,GACd,CACF;AAAA,EACA,MAAM,SAAuB,CAAC;AAAA,EAC9B,SAAS,IAAI,EAAG,KAAK,GAAG,KAAK;AAAA,IAC5B,MAAM,IAAI,IAAI;AAAA,IACd,EAAE,QAAQ,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzB,MAAM,UAAU,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAAA,IAC3C,MAAM,MAAM,OAAO,IAAI,OAAO;AAAA,IAC9B,OAAO,KAAK;AAAA,MACX,MAAM;AAAA,MACN,aAAa,KAAK,gBAAgB;AAAA,MAClC,YAAY,KAAK,cAAc;AAAA,IAChC,CAAC;AAAA,EACF;AAAA,EACA,OAAO;AAAA;AAWR,eAAsB,WAAW,CAChC,IACA,WACA,MACsB;AAAA,EACtB,MAAM,SAAS,cAAc,IAAI;AAAA,EACjC,MAAM,QAAQ,MAAM,SAAS,IAAI,SAAS;AAAA,EAE1C,MAAM,gBAAgB,MAAM,GAC1B,WAAW,WAAW,EACtB,UAAU,YAAY,wBAAwB,aAAa,EAC3D,OAAO,cAAsB,GAAG,OAAO,CAAC,EACxC,MAAM,uBAAuB,KAAK,SAAS,EAC3C,iBAAiB;AAAA,EAEnB,MAAM,UAAU;AAAA,OACZ;AAAA,IACH,WAAW,OAAO,eAAe,SAAS,CAAC;AAAA,EAC5C;AAAA,EAEA,IAAI,QAAQ,aAAa,OAAO,WAAW;AAAA,IAC1C,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,YAAY;AAAA,EACjE;AAAA,EACA,IAAI,QAAQ,oBAAoB,OAAO,mBAAmB;AAAA,IACzD,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,eAAe;AAAA,EACpE;AAAA,EACA,IAAI,QAAQ,uBAAuB,OAAO,oBAAoB;AAAA,IAC7D,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,aAAa;AAAA,EAClE;AAAA,EACA,IAAI,QAAQ,gBAAgB,OAAO,cAAc;AAAA,IAChD,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,UAAU;AAAA,EAC/D;AAAA,EAEA,OAAO,EAAE,SAAS,MAAM,QAAQ,QAAQ;AAAA;AAOzC,eAAsB,cAAc,CAAC,IAAqC;AAAA,EAEzE,MAAM,mBAAmB,MAAM,GAC7B,WAAW,WAAW,EACtB,UAAU,YAAY,wBAAwB,aAAa,EAC3D,OAAO,CAAC,uBAAuB,uBAAuB,CAAC,EACvD,MAAM,yBAAyB,UAAU,IAAI,EAC7C,QAAQ;AAAA,EAGV,MAAM,YAAY,IAAI;AAAA,EACtB,WAAW,OAAO,kBAAkB;AAAA,IACnC,MAAM,UAAU,UAAU,IAAI,IAAI,UAAU,KAAK,CAAC;AAAA,IAClD,IAAI,IAAI;AAAA,MAAa,QAAQ,KAAK,IAAI,WAAW;AAAA,IACjD,UAAU,IAAI,IAAI,YAAY,OAAO;AAAA,EACtC;AAAA,EAEA,YAAY,WAAW,YAAY,WAAW;AAAA,IAC7C,IAAI,aAAa;AAAA,IACjB,WAAW,UAAU,SAAS;AAAA,MAC7B,IAAI;AAAA,QACH,MAAM,SAAS,MAAM;AAAA;AAAA,8CAEqB;AAAA,UACpC,QAAQ,EAAE;AAAA,QAChB,cAAc,OAAQ,OAAO,KAAK,IAAY,QAAQ,CAAC;AAAA,QACtD,MAAM;AAAA,IAGT;AAAA,IAEA,MAAM,GACJ,WAAW,iBAAiB,EAC5B,OAAO;AAAA,MACP,YAAY;AAAA,MACZ,eAAe;AAAA,IAChB,CAAC,EACA,QAAQ;AAAA,EACX;AAAA;",
-  "debugId": "0844CA82D7046A1564756E2164756E21",
+  "mappings": ";;;;;;;;;;;;;;;;;AAOO,IAAM,YAAwB;AAAA,EACpC,WAAW;AAAA,EACX,mBAAmB;AAAA,EACnB,oBAAoB;AAAA,EACpB,cAAc,MAAM,OAAO;AAC5B;AAEO,SAAS,aAAa,CAAC,MAA0B;AAAA,EACvD,QAAQ;AAAA,SACF;AAAA;AAAA,MAEJ,OAAO;AAAA;AAAA;;;AClBV;AAKA,eAAsB,oBAAoB,CACzC,IACA,WACgB;AAAA,EAChB,MAAM,QAAQ,IAAI,KAAK,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAAA,EAClD,MAAM,GACJ,WAAW,aAAa,EACxB,OAAO;AAAA,IACP,YAAY;AAAA,IACZ,MAAM;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,EACb,CAAC,EACA,WAAW,CAAC,OACZ,GAAG,QAAQ,CAAC,cAAc,MAAM,CAAC,EAAE,YAAY;AAAA,IAC9C,cAAc;AAAA,EACf,CAAC,CACF,EACC,QAAQ;AAAA;AAUX,eAAsB,QAAQ,CAC7B,IACA,WACwB;AAAA,EACxB,MAAM,QAAQ,IAAI,KAAK,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAAA,EAClD,MAAM,aAAa,MAAM,MAAM,GAAG,CAAC,IAAI;AAAA,EAGvC,MAAM,WAAW,MAAM,GACrB,WAAW,aAAa,EACxB,OAAO,cAAc,EACrB,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,KAAK,KAAK,EACxB,iBAAiB;AAAA,EAGnB,MAAM,aAAa,MAAM,GACvB,WAAW,aAAa,EACxB,OAAO,kCAA0C,GAAG,OAAO,CAAC,EAC5D,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,MAAM,UAAU,EAC9B,iBAAiB;AAAA,EAGnB,MAAM,aAAa,MAAM,GACvB,WAAW,iBAAiB,EAC5B,OAAO,eAAe,EACtB,MAAM,cAAc,KAAK,SAAS,EAClC,QAAQ,eAAe,MAAM,EAC7B,MAAM,CAAC,EACP,iBAAiB;AAAA,EAEnB,OAAO;AAAA,IACN,kBAAkB,UAAU,gBAAgB;AAAA,IAC5C,qBAAqB,OAAO,YAAY,SAAS,CAAC;AAAA,IAClD,cAAc,OAAO,YAAY,iBAAiB,CAAC;AAAA,EACpD;AAAA;AAUD,eAAsB,aAAa,CAClC,IACA,WACwB;AAAA,EACxB,MAAM,OAAO,MAAM,GACjB,WAAW,aAAa,EACxB,OAAO,CAAC,QAAQ,gBAAgB,YAAY,CAAC,EAC7C,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,MAAM,oBAA4B,EAChD,QAAQ,QAAQ,KAAK,EACrB,QAAQ;AAAA,EAGV,MAAM,SAAS,IAAI,IAClB,KAAK,IAAI,CAAC,MAAM;AAAA,IACf,MAAM,IAAI,EAAE;AAAA,IACZ,MAAM,MACL,aAAa,OACV,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE,IAC3B,OAAO,CAAC,EAAE,MAAM,GAAG,EAAE;AAAA,IACzB,OAAO,CAAC,KAAK,CAAC;AAAA,GACd,CACF;AAAA,EACA,MAAM,SAAuB,CAAC;AAAA,EAC9B,SAAS,IAAI,EAAG,KAAK,GAAG,KAAK;AAAA,IAC5B,MAAM,IAAI,IAAI;AAAA,IACd,EAAE,QAAQ,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzB,MAAM,UAAU,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAAA,IAC3C,MAAM,MAAM,OAAO,IAAI,OAAO;AAAA,IAC9B,OAAO,KAAK;AAAA,MACX,MAAM;AAAA,MACN,aAAa,KAAK,gBAAgB;AAAA,MAClC,YAAY,KAAK,cAAc;AAAA,IAChC,CAAC;AAAA,EACF;AAAA,EACA,OAAO;AAAA;AAWR,eAAsB,WAAW,CAChC,IACA,WACA,MACsB;AAAA,EACtB,MAAM,SAAS,cAAc,IAAI;AAAA,EACjC,MAAM,QAAQ,MAAM,SAAS,IAAI,SAAS;AAAA,EAE1C,MAAM,gBAAgB,MAAM,GAC1B,WAAW,WAAW,EACtB,OAAO,cAAsB,GAAG,OAAO,CAAC,EACxC,MAAM,cAAc,KAAK,SAAS,EAClC,iBAAiB;AAAA,EAEnB,MAAM,UAAU;AAAA,OACZ;AAAA,IACH,WAAW,OAAO,eAAe,SAAS,CAAC;AAAA,EAC5C;AAAA,EAEA,IAAI,QAAQ,aAAa,OAAO,WAAW;AAAA,IAC1C,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,YAAY;AAAA,EACjE;AAAA,EACA,IAAI,QAAQ,oBAAoB,OAAO,mBAAmB;AAAA,IACzD,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,eAAe;AAAA,EACpE;AAAA,EACA,IAAI,QAAQ,uBAAuB,OAAO,oBAAoB;AAAA,IAC7D,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,aAAa;AAAA,EAClE;AAAA,EACA,IAAI,QAAQ,gBAAgB,OAAO,cAAc;AAAA,IAChD,OAAO,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,UAAU;AAAA,EAC/D;AAAA,EAEA,OAAO,EAAE,SAAS,MAAM,QAAQ,QAAQ;AAAA;AAOzC,eAAsB,cAAc,CAAC,IAAqC;AAAA,EAEzE,MAAM,mBAAmB,MAAM,GAC7B,WAAW,WAAW,EACtB,OAAO,CAAC,cAAc,aAAa,CAAC,EACpC,MAAM,eAAe,UAAU,IAAI,EACnC,QAAQ;AAAA,EAGV,MAAM,YAAY,IAAI;AAAA,EACtB,WAAW,OAAO,kBAAkB;AAAA,IACnC,MAAM,UAAU,UAAU,IAAI,IAAI,UAAU,KAAK,CAAC;AAAA,IAClD,IAAI,IAAI;AAAA,MAAa,QAAQ,KAAK,IAAI,WAAW;AAAA,IACjD,UAAU,IAAI,IAAI,YAAY,OAAO;AAAA,EACtC;AAAA,EAEA,YAAY,WAAW,YAAY,WAAW;AAAA,IAC7C,IAAI,aAAa;AAAA,IACjB,WAAW,UAAU,SAAS;AAAA,MAC7B,IAAI;AAAA,QACH,MAAM,SAAS,MAAM;AAAA;AAAA,8CAEqB;AAAA,UACpC,QAAQ,EAAE;AAAA,QAChB,cAAc,OAAQ,OAAO,KAAK,IAAY,QAAQ,CAAC;AAAA,QACtD,MAAM;AAAA,IAGT;AAAA,IAEA,MAAM,GACJ,WAAW,iBAAiB,EAC5B,OAAO;AAAA,MACP,YAAY;AAAA,MACZ,eAAe;AAAA,IAChB,CAAC,EACA,QAAQ;AAAA,EACX;AAAA;",
+  "debugId": "7A7AEE74ECF0C63664756E2164756E21",
   "names": []
 }

package/dist/src/db/queries/workflows.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { Kysely } from "kysely";
-import { Generated, Selectable } from "kysely";
+import { ColumnType, Generated, Selectable } from "kysely";
 interface BlocksTable {
 	height: number;
 	hash: string;
@@ -56,7 +56,6 @@ interface SubgraphsTable {
 	last_error_at: Date | null;
 	total_processed: Generated<number>;
 	total_errors: Generated<number>;
-	api_key_id: string | null;
 	account_id: string;
 	handler_code: string | null;
 	source_code: string | null;
@@ -360,6 +359,63 @@ interface Database {
 	workflow_cursors: WorkflowCursorsTable;
 	workflow_signer_secrets: WorkflowSignerSecretsTable;
 	workflow_budgets: WorkflowBudgetsTable;
+	tenants: TenantsTable;
+	tenant_usage_monthly: TenantUsageMonthlyTable;
+	provisioning_audit_log: ProvisioningAuditLogTable;
+}
+type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
+interface TenantsTable {
+	id: Generated<string>;
+	account_id: string;
+	slug: string;
+	status: ColumnType<TenantStatus, TenantStatus | undefined, TenantStatus>;
+	plan: string;
+	cpus: ColumnType<number, number | string, number | string>;
+	memory_mb: number;
+	storage_limit_mb: number;
+	storage_used_mb: number | null;
+	pg_container_id: string | null;
+	api_container_id: string | null;
+	processor_container_id: string | null;
+	target_database_url_enc: Buffer;
+	tenant_jwt_secret_enc: Buffer;
+	anon_key_enc: Buffer;
+	service_key_enc: Buffer;
+	api_url_internal: string;
+	api_url_public: string;
+	trial_ends_at: Date;
+	suspended_at: Date | null;
+	last_health_check_at: Date | null;
+	service_gen: Generated<number>;
+	anon_gen: Generated<number>;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface TenantUsageMonthlyTable {
+	id: Generated<string>;
+	tenant_id: string;
+	period_month: Date;
+	storage_peak_mb: Generated<number>;
+	storage_avg_mb: Generated<number>;
+	storage_last_mb: Generated<number>;
+	measurements: Generated<number>;
+	first_at: Generated<Date>;
+	last_at: Generated<Date>;
+}
+type ProvisioningAuditEvent = "provision.start" | "provision.success" | "provision.failure" | "suspend" | "resume" | "resize" | "keys.rotate" | "bastion.key.upload" | "bastion.key.revoke" | "teardown";
+type ProvisioningAuditStatus = "ok" | "error";
+interface ProvisioningAuditLogTable {
+	id: Generated<string>;
+	tenant_id: string | null;
+	tenant_slug: string | null;
+	account_id: string | null;
+	actor: string;
+	event: ProvisioningAuditEvent;
+	status: ProvisioningAuditStatus;
+	detail: unknown | null;
+	error: string | null;
+	created_at: Generated<Date>;
 }
 interface WorkflowBudgetsTable {
 	id: Generated<string>;

package/dist/src/db/queries/workflows.js CHANGED Viewed

@@ -40,7 +40,12 @@ var ErrorCodes = {
   RATE_LIMIT_ERROR: "RATE_LIMIT_ERROR",
   FORBIDDEN: "FORBIDDEN",
   VERSION_CONFLICT: "VERSION_CONFLICT",
-  NOT_FOUND: "NOT_FOUND"
+  NOT_FOUND: "NOT_FOUND",
+  KEY_ROTATED: "KEY_ROTATED",
+  TRIAL_EXPIRED: "TRIAL_EXPIRED",
+  TENANT_SUSPENDED: "TENANT_SUSPENDED",
+  NO_TENANT_FOR_PROJECT: "NO_TENANT_FOR_PROJECT",
+  INSTANCE_EXISTS: "INSTANCE_EXISTS"
 };
 class SecondLayerError extends Error {
@@ -115,13 +120,36 @@ class VersionConflictError extends SecondLayerError {
     this.expectedVersion = expectedVersion;
   }
 }
+class KeyRotatedError extends SecondLayerError {
+  constructor(message = "Token has been rotated") {
+    super("KEY_ROTATED", message);
+  }
+}
+class TrialExpiredError extends SecondLayerError {
+  constructor(message) {
+    super("TRIAL_EXPIRED", message);
+  }
+}
+class TenantSuspendedError extends SecondLayerError {
+  constructor(message = "Instance is suspended") {
+    super("TENANT_SUSPENDED", message);
+  }
+}
 var CODE_TO_STATUS = {
   AUTHENTICATION_ERROR: 401,
   AUTHORIZATION_ERROR: 403,
   RATE_LIMIT_ERROR: 429,
   FORBIDDEN: 403,
   NOT_FOUND: 404,
-  VALIDATION_ERROR: 400
+  VALIDATION_ERROR: 400,
+  KEY_ROTATED: 401,
+  TRIAL_EXPIRED: 402,
+  TENANT_SUSPENDED: 423,
+  NO_TENANT_FOR_PROJECT: 404,
+  INSTANCE_EXISTS: 409
 };
 function getErrorMessage(err) {
   return err instanceof Error ? err.message : String(err);
@@ -228,5 +256,5 @@ export {
   bumpPatch
 };
-//# debugId=A3CE9B539936424A64756E2164756E21
+//# debugId=E33493756835BCAB64756E2164756E21
 //# sourceMappingURL=workflows.js.map

package/dist/src/db/queries/workflows.js.map CHANGED Viewed

@@ -2,11 +2,11 @@
   "version": 3,
   "sources": ["../src/db/jsonb.ts", "../src/errors.ts", "../src/db/queries/workflows.ts"],
   "sourcesContent": [
-    "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n */\nexport function jsonb(value: unknown): RawBuilder<unknown> {\n\tconst escaped = JSON.stringify(value, (_k, v) => (typeof v === \"bigint\" ? v.toString() : v)).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n",
-    "export const ErrorCodes = {\n\tVALIDATION_ERROR: \"VALIDATION_ERROR\",\n\tDATABASE_ERROR: \"DATABASE_ERROR\",\n\tAUTHENTICATION_ERROR: \"AUTHENTICATION_ERROR\",\n\tAUTHORIZATION_ERROR: \"AUTHORIZATION_ERROR\",\n\tRATE_LIMIT_ERROR: \"RATE_LIMIT_ERROR\",\n\tFORBIDDEN: \"FORBIDDEN\",\n\tVERSION_CONFLICT: \"VERSION_CONFLICT\",\n\tNOT_FOUND: \"NOT_FOUND\",\n} as const;\n\nexport type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];\n\n/** Base error class for all Secondlayer errors. */\nexport class SecondLayerError extends Error {\n\tpublic code: ErrorCode;\n\tpublic override cause?: unknown;\n\n\tconstructor(code: ErrorCode, message: string, cause?: unknown) {\n\t\tsuper(message);\n\t\tthis.code = code;\n\t\tthis.cause = cause;\n\t\tthis.name = this.constructor.name;\n\t\tError.captureStackTrace?.(this, this.constructor);\n\t}\n\n\ttoJSON(): {\n\t\tname: string;\n\t\tcode: string;\n\t\tmessage: string;\n\t\tstack: string | undefined;\n\t\tcause: unknown;\n\t} {\n\t\treturn {\n\t\t\tname: this.name,\n\t\t\tcode: this.code,\n\t\t\tmessage: this.message,\n\t\t\tstack: this.stack,\n\t\t\tcause: this.cause,\n\t\t};\n\t}\n}\n\nexport class NotFoundError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"NOT_FOUND\", message);\n\t}\n}\n\nexport class ValidationError extends SecondLayerError {\n\tconstructor(message: string, cause?: unknown) {\n\t\tsuper(\"VALIDATION_ERROR\", message, cause);\n\t}\n}\n\nexport class DatabaseError extends SecondLayerError {\n\tconstructor(message: string, cause?: unknown) {\n\t\tsuper(\"DATABASE_ERROR\", message, cause);\n\t}\n}\n\nexport class AuthenticationError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"AUTHENTICATION_ERROR\", message);\n\t}\n}\n\nexport class AuthorizationError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"AUTHORIZATION_ERROR\", message);\n\t}\n}\n\nexport class RateLimitError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"RATE_LIMIT_ERROR\", message);\n\t}\n}\n\nexport class ForbiddenError extends SecondLayerError {\n\tconstructor(message = \"Forbidden\") {\n\t\tsuper(\"FORBIDDEN\", message);\n\t}\n}\n\nexport class VersionConflictError extends SecondLayerError {\n\tpublic currentVersion: string;\n\tpublic expectedVersion: string;\n\n\tconstructor(currentVersion: string, expectedVersion: string) {\n\t\tsuper(\n\t\t\t\"VERSION_CONFLICT\",\n\t\t\t`Version conflict: expected ${expectedVersion}, current ${currentVersion}`,\n\t\t);\n\t\tthis.currentVersion = currentVersion;\n\t\tthis.expectedVersion = expectedVersion;\n\t}\n}\n\n/** Error code → HTTP status. Used by API middleware for code-based matching\n *  (avoids cross-bundle instanceof failures from bunup class duplication). */\ntype MappedCode = Extract<\n\tErrorCode,\n\t| \"AUTHENTICATION_ERROR\"\n\t| \"AUTHORIZATION_ERROR\"\n\t| \"RATE_LIMIT_ERROR\"\n\t| \"FORBIDDEN\"\n\t| \"NOT_FOUND\"\n\t| \"VALIDATION_ERROR\"\n>;\nexport const CODE_TO_STATUS: Record<MappedCode, 400 | 401 | 403 | 404 | 429> = {\n\tAUTHENTICATION_ERROR: 401,\n\tAUTHORIZATION_ERROR: 403,\n\tRATE_LIMIT_ERROR: 429,\n\tFORBIDDEN: 403,\n\tNOT_FOUND: 404,\n\tVALIDATION_ERROR: 400,\n} as const;\n\nexport function getErrorMessage(err: unknown): string {\n\treturn err instanceof Error ? err.message : String(err);\n}\n",
+    "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n */\nexport function jsonb(value: unknown): RawBuilder<unknown> {\n\tconst escaped = JSON.stringify(value, (_k, v) =>\n\t\ttypeof v === \"bigint\" ? v.toString() : v,\n\t).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n",
+    "export const ErrorCodes = {\n\tVALIDATION_ERROR: \"VALIDATION_ERROR\",\n\tDATABASE_ERROR: \"DATABASE_ERROR\",\n\tAUTHENTICATION_ERROR: \"AUTHENTICATION_ERROR\",\n\tAUTHORIZATION_ERROR: \"AUTHORIZATION_ERROR\",\n\tRATE_LIMIT_ERROR: \"RATE_LIMIT_ERROR\",\n\tFORBIDDEN: \"FORBIDDEN\",\n\tVERSION_CONFLICT: \"VERSION_CONFLICT\",\n\tNOT_FOUND: \"NOT_FOUND\",\n\t// Tenant lifecycle (CLI surfaces these verbatim)\n\tKEY_ROTATED: \"KEY_ROTATED\",\n\tTRIAL_EXPIRED: \"TRIAL_EXPIRED\",\n\tTENANT_SUSPENDED: \"TENANT_SUSPENDED\",\n\tNO_TENANT_FOR_PROJECT: \"NO_TENANT_FOR_PROJECT\",\n\tINSTANCE_EXISTS: \"INSTANCE_EXISTS\",\n} as const;\n\nexport type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];\n\n/** Base error class for all Secondlayer errors. */\nexport class SecondLayerError extends Error {\n\tpublic code: ErrorCode;\n\tpublic override cause?: unknown;\n\n\tconstructor(code: ErrorCode, message: string, cause?: unknown) {\n\t\tsuper(message);\n\t\tthis.code = code;\n\t\tthis.cause = cause;\n\t\tthis.name = this.constructor.name;\n\t\tError.captureStackTrace?.(this, this.constructor);\n\t}\n\n\ttoJSON(): {\n\t\tname: string;\n\t\tcode: string;\n\t\tmessage: string;\n\t\tstack: string | undefined;\n\t\tcause: unknown;\n\t} {\n\t\treturn {\n\t\t\tname: this.name,\n\t\t\tcode: this.code,\n\t\t\tmessage: this.message,\n\t\t\tstack: this.stack,\n\t\t\tcause: this.cause,\n\t\t};\n\t}\n}\n\nexport class NotFoundError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"NOT_FOUND\", message);\n\t}\n}\n\nexport class ValidationError extends SecondLayerError {\n\tconstructor(message: string, cause?: unknown) {\n\t\tsuper(\"VALIDATION_ERROR\", message, cause);\n\t}\n}\n\nexport class DatabaseError extends SecondLayerError {\n\tconstructor(message: string, cause?: unknown) {\n\t\tsuper(\"DATABASE_ERROR\", message, cause);\n\t}\n}\n\nexport class AuthenticationError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"AUTHENTICATION_ERROR\", message);\n\t}\n}\n\nexport class AuthorizationError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"AUTHORIZATION_ERROR\", message);\n\t}\n}\n\nexport class RateLimitError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"RATE_LIMIT_ERROR\", message);\n\t}\n}\n\nexport class ForbiddenError extends SecondLayerError {\n\tconstructor(message = \"Forbidden\") {\n\t\tsuper(\"FORBIDDEN\", message);\n\t}\n}\n\nexport class VersionConflictError extends SecondLayerError {\n\tpublic currentVersion: string;\n\tpublic expectedVersion: string;\n\n\tconstructor(currentVersion: string, expectedVersion: string) {\n\t\tsuper(\n\t\t\t\"VERSION_CONFLICT\",\n\t\t\t`Version conflict: expected ${expectedVersion}, current ${currentVersion}`,\n\t\t);\n\t\tthis.currentVersion = currentVersion;\n\t\tthis.expectedVersion = expectedVersion;\n\t}\n}\n\nexport class KeyRotatedError extends SecondLayerError {\n\tconstructor(message = \"Token has been rotated\") {\n\t\tsuper(\"KEY_ROTATED\", message);\n\t}\n}\n\nexport class TrialExpiredError extends SecondLayerError {\n\tconstructor(message: string) {\n\t\tsuper(\"TRIAL_EXPIRED\", message);\n\t}\n}\n\nexport class TenantSuspendedError extends SecondLayerError {\n\tconstructor(message = \"Instance is suspended\") {\n\t\tsuper(\"TENANT_SUSPENDED\", message);\n\t}\n}\n\n/** Error code → HTTP status. Used by API middleware for code-based matching\n *  (avoids cross-bundle instanceof failures from bunup class duplication). */\ntype MappedCode = Extract<\n\tErrorCode,\n\t| \"AUTHENTICATION_ERROR\"\n\t| \"AUTHORIZATION_ERROR\"\n\t| \"RATE_LIMIT_ERROR\"\n\t| \"FORBIDDEN\"\n\t| \"NOT_FOUND\"\n\t| \"VALIDATION_ERROR\"\n\t| \"KEY_ROTATED\"\n\t| \"TRIAL_EXPIRED\"\n\t| \"TENANT_SUSPENDED\"\n\t| \"NO_TENANT_FOR_PROJECT\"\n\t| \"INSTANCE_EXISTS\"\n>;\nexport const CODE_TO_STATUS: Record<\n\tMappedCode,\n\t400 | 401 | 402 | 403 | 404 | 409 | 423 | 429\n> = {\n\tAUTHENTICATION_ERROR: 401,\n\tAUTHORIZATION_ERROR: 403,\n\tRATE_LIMIT_ERROR: 429,\n\tFORBIDDEN: 403,\n\tNOT_FOUND: 404,\n\tVALIDATION_ERROR: 400,\n\tKEY_ROTATED: 401,\n\tTRIAL_EXPIRED: 402,\n\tTENANT_SUSPENDED: 423,\n\tNO_TENANT_FOR_PROJECT: 404,\n\tINSTANCE_EXISTS: 409,\n} as const;\n\nexport function getErrorMessage(err: unknown): string {\n\treturn err instanceof Error ? err.message : String(err);\n}\n",
     "import type { Kysely } from \"kysely\";\nimport { VersionConflictError } from \"../../errors.ts\";\nimport { jsonb } from \"../jsonb.ts\";\nimport type {\n\tDatabase,\n\tWorkflowDefinition,\n\tWorkflowRun,\n\tWorkflowStep,\n} from \"../types.ts\";\n\n/** Bump the patch digit of a semver string. Falls back to \"1.0.1\" on malformed input. */\nexport function bumpPatch(version: string): string {\n\tconst parts = version.split(\".\");\n\tif (parts.length !== 3) return \"1.0.1\";\n\tconst [major, minor, patch] = parts.map((p) => Number.parseInt(p, 10));\n\tif (\n\t\tNumber.isNaN(major) ||\n\t\tNumber.isNaN(minor) ||\n\t\tNumber.isNaN(patch) ||\n\t\tmajor === undefined ||\n\t\tminor === undefined ||\n\t\tpatch === undefined\n\t) {\n\t\treturn \"1.0.1\";\n\t}\n\treturn `${major}.${minor}.${patch + 1}`;\n}\n\n// ── Definitions ──────────────────────────────────────────────────────\n\nexport async function listWorkflowDefinitions(\n\tdb: Kysely<Database>,\n\tapiKeyIds?: string[],\n): Promise<WorkflowDefinition[]> {\n\tlet query = db\n\t\t.selectFrom(\"workflow_definitions\")\n\t\t.selectAll()\n\t\t.where(\"status\", \"!=\", \"deleted\")\n\t\t.orderBy(\"created_at\", \"desc\");\n\n\tif (apiKeyIds?.length) {\n\t\tquery = query.where(\"api_key_id\", \"in\", apiKeyIds);\n\t}\n\n\treturn await query.execute();\n}\n\nexport async function getWorkflowDefinition(\n\tdb: Kysely<Database>,\n\tname: string,\n\tapiKeyIds?: string[],\n): Promise<WorkflowDefinition | null> {\n\tlet query = db\n\t\t.selectFrom(\"workflow_definitions\")\n\t\t.selectAll()\n\t\t.where(\"name\", \"=\", name);\n\n\tif (apiKeyIds?.length) {\n\t\tquery = query.where(\"api_key_id\", \"in\", apiKeyIds);\n\t}\n\n\treturn (await query.executeTakeFirst()) ?? null;\n}\n\nexport async function upsertWorkflowDefinition(\n\tdb: Kysely<Database>,\n\tdata: {\n\t\tname: string;\n\t\ttriggerType: string;\n\t\ttriggerConfig: Record<string, unknown>;\n\t\thandlerPath: string;\n\t\tapiKeyId: string;\n\t\tprojectId?: string;\n\t\tretriesConfig?: Record<string, unknown>;\n\t\ttimeoutMs?: number;\n\t\tsourceCode?: string;\n\t\texpectedVersion?: string;\n\t},\n): Promise<WorkflowDefinition> {\n\tconst existing = await db\n\t\t.selectFrom(\"workflow_definitions\")\n\t\t.selectAll()\n\t\t.where(\"name\", \"=\", data.name)\n\t\t.where(\"api_key_id\", \"=\", data.apiKeyId)\n\t\t.executeTakeFirst();\n\n\tif (existing) {\n\t\tif (\n\t\t\tdata.expectedVersion !== undefined &&\n\t\t\texisting.version !== data.expectedVersion\n\t\t) {\n\t\t\tthrow new VersionConflictError(existing.version, data.expectedVersion);\n\t\t}\n\n\t\tconst nextVersion = bumpPatch(existing.version);\n\n\t\treturn await db\n\t\t\t.updateTable(\"workflow_definitions\")\n\t\t\t.set({\n\t\t\t\ttrigger_type: data.triggerType,\n\t\t\t\ttrigger_config: jsonb(data.triggerConfig) as unknown as string,\n\t\t\t\thandler_path: data.handlerPath,\n\t\t\t\tsource_code: data.sourceCode ?? existing.source_code,\n\t\t\t\tretries_config: data.retriesConfig\n\t\t\t\t\t? (jsonb(data.retriesConfig) as unknown as string)\n\t\t\t\t\t: null,\n\t\t\t\ttimeout_ms: data.timeoutMs ?? null,\n\t\t\t\tversion: nextVersion,\n\t\t\t\tstatus: \"active\",\n\t\t\t\tupdated_at: new Date(),\n\t\t\t})\n\t\t\t.where(\"id\", \"=\", existing.id)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirstOrThrow();\n\t}\n\n\treturn await db\n\t\t.insertInto(\"workflow_definitions\")\n\t\t.values({\n\t\t\tname: data.name,\n\t\t\ttrigger_type: data.triggerType,\n\t\t\ttrigger_config: jsonb(data.triggerConfig) as unknown as string,\n\t\t\thandler_path: data.handlerPath,\n\t\t\tsource_code: data.sourceCode ?? null,\n\t\t\tapi_key_id: data.apiKeyId,\n\t\t\tproject_id: data.projectId ?? null,\n\t\t\tretries_config: data.retriesConfig\n\t\t\t\t? (jsonb(data.retriesConfig) as unknown as string)\n\t\t\t\t: null,\n\t\t\ttimeout_ms: data.timeoutMs ?? null,\n\t\t\tversion: \"1.0.0\",\n\t\t})\n\t\t.returningAll()\n\t\t.executeTakeFirstOrThrow();\n}\n\nexport async function updateWorkflowStatus(\n\tdb: Kysely<Database>,\n\tname: string,\n\tapiKeyId: string,\n\tstatus: string,\n): Promise<void> {\n\tawait db\n\t\t.updateTable(\"workflow_definitions\")\n\t\t.set({ status, updated_at: new Date() })\n\t\t.where(\"name\", \"=\", name)\n\t\t.where(\"api_key_id\", \"=\", apiKeyId)\n\t\t.execute();\n}\n\nexport async function deleteWorkflowDefinition(\n\tdb: Kysely<Database>,\n\tname: string,\n\tapiKeyId: string,\n): Promise<void> {\n\tawait db\n\t\t.updateTable(\"workflow_definitions\")\n\t\t.set({ status: \"deleted\", updated_at: new Date() })\n\t\t.where(\"name\", \"=\", name)\n\t\t.where(\"api_key_id\", \"=\", apiKeyId)\n\t\t.execute();\n}\n\n// ── Runs ─────────────────────────────────────────────────────────────\n\nexport async function createWorkflowRun(\n\tdb: Kysely<Database>,\n\tdata: {\n\t\tdefinitionId: string;\n\t\ttriggerType: string;\n\t\ttriggerData?: Record<string, unknown>;\n\t\tdedupKey?: string;\n\t},\n): Promise<WorkflowRun> {\n\treturn await db\n\t\t.insertInto(\"workflow_runs\")\n\t\t.values({\n\t\t\tdefinition_id: data.definitionId,\n\t\t\ttrigger_type: data.triggerType,\n\t\t\ttrigger_data: data.triggerData\n\t\t\t\t? (jsonb(data.triggerData) as unknown as string)\n\t\t\t\t: null,\n\t\t\tdedup_key: data.dedupKey ?? null,\n\t\t})\n\t\t.returningAll()\n\t\t.executeTakeFirstOrThrow();\n}\n\nexport async function getWorkflowRun(\n\tdb: Kysely<Database>,\n\trunId: string,\n): Promise<WorkflowRun | null> {\n\treturn (\n\t\t(await db\n\t\t\t.selectFrom(\"workflow_runs\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", runId)\n\t\t\t.executeTakeFirst()) ?? null\n\t);\n}\n\nexport async function listWorkflowRuns(\n\tdb: Kysely<Database>,\n\tdefinitionId: string,\n\tparams?: { status?: string; limit?: number; offset?: number },\n): Promise<WorkflowRun[]> {\n\tlet query = db\n\t\t.selectFrom(\"workflow_runs\")\n\t\t.selectAll()\n\t\t.where(\"definition_id\", \"=\", definitionId)\n\t\t.orderBy(\"created_at\", \"desc\");\n\n\tif (params?.status) {\n\t\tquery = query.where(\"status\", \"=\", params.status);\n\t}\n\n\tquery = query.limit(params?.limit ?? 20);\n\n\tif (params?.offset) {\n\t\tquery = query.offset(params.offset);\n\t}\n\n\treturn await query.execute();\n}\n\n// ── Steps ────────────────────────────────────────────────────────────\n\nexport async function getWorkflowSteps(\n\tdb: Kysely<Database>,\n\trunId: string,\n): Promise<WorkflowStep[]> {\n\treturn await db\n\t\t.selectFrom(\"workflow_steps\")\n\t\t.selectAll()\n\t\t.where(\"run_id\", \"=\", runId)\n\t\t.orderBy(\"step_index\", \"asc\")\n\t\t.execute();\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAOO,SAAS,KAAK,CAAC,OAAqC;AAAA,EAC1D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAAO,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CAAE,EAAE,QAAQ,MAAM,IAAI;AAAA,EAC/G,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;;;ACzBZ,IAAM,aAAa;AAAA,EACzB,kBAAkB;AAAA,EAClB,gBAAgB;AAAA,EAChB,sBAAsB;AAAA,EACtB,qBAAqB;AAAA,EACrB,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,kBAAkB;AAAA,EAClB,WAAW;AACZ;AAAA;AAKO,MAAM,yBAAyB,MAAM;AAAA,EACpC;AAAA,EACS;AAAA,EAEhB,WAAW,CAAC,MAAiB,SAAiB,OAAiB;AAAA,IAC9D,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA,IACZ,KAAK,QAAQ;AAAA,IACb,KAAK,OAAO,KAAK,YAAY;AAAA,IAC7B,MAAM,oBAAoB,MAAM,KAAK,WAAW;AAAA;AAAA,EAGjD,MAAM,GAMJ;AAAA,IACD,OAAO;AAAA,MACN,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,SAAS,KAAK;AAAA,MACd,OAAO,KAAK;AAAA,MACZ,OAAO,KAAK;AAAA,IACb;AAAA;AAEF;AAAA;AAEO,MAAM,sBAAsB,iBAAiB;AAAA,EACnD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,aAAa,OAAO;AAAA;AAE5B;AAAA;AAEO,MAAM,wBAAwB,iBAAiB;AAAA,EACrD,WAAW,CAAC,SAAiB,OAAiB;AAAA,IAC7C,MAAM,oBAAoB,SAAS,KAAK;AAAA;AAE1C;AAAA;AAEO,MAAM,sBAAsB,iBAAiB;AAAA,EACnD,WAAW,CAAC,SAAiB,OAAiB;AAAA,IAC7C,MAAM,kBAAkB,SAAS,KAAK;AAAA;AAExC;AAAA;AAEO,MAAM,4BAA4B,iBAAiB;AAAA,EACzD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,wBAAwB,OAAO;AAAA;AAEvC;AAAA;AAEO,MAAM,2BAA2B,iBAAiB;AAAA,EACxD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,uBAAuB,OAAO;AAAA;AAEtC;AAAA;AAEO,MAAM,uBAAuB,iBAAiB;AAAA,EACpD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,oBAAoB,OAAO;AAAA;AAEnC;AAAA;AAEO,MAAM,uBAAuB,iBAAiB;AAAA,EACpD,WAAW,CAAC,UAAU,aAAa;AAAA,IAClC,MAAM,aAAa,OAAO;AAAA;AAE5B;AAAA;AAEO,MAAM,6BAA6B,iBAAiB;AAAA,EACnD;AAAA,EACA;AAAA,EAEP,WAAW,CAAC,gBAAwB,iBAAyB;AAAA,IAC5D,MACC,oBACA,8BAA8B,4BAA4B,gBAC3D;AAAA,IACA,KAAK,iBAAiB;AAAA,IACtB,KAAK,kBAAkB;AAAA;AAEzB;AAaO,IAAM,iBAAkE;AAAA,EAC9E,sBAAsB;AAAA,EACtB,qBAAqB;AAAA,EACrB,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,WAAW;AAAA,EACX,kBAAkB;AACnB;AAEO,SAAS,eAAe,CAAC,KAAsB;AAAA,EACrD,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA;;;AC7GhD,SAAS,SAAS,CAAC,SAAyB;AAAA,EAClD,MAAM,QAAQ,QAAQ,MAAM,GAAG;AAAA,EAC/B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,OAAO,OAAO,OAAO,SAAS,MAAM,IAAI,CAAC,MAAM,OAAO,SAAS,GAAG,EAAE,CAAC;AAAA,EACrE,IACC,OAAO,MAAM,KAAK,KAClB,OAAO,MAAM,KAAK,KAClB,OAAO,MAAM,KAAK,KAClB,UAAU,aACV,UAAU,aACV,UAAU,WACT;AAAA,IACD,OAAO;AAAA,EACR;AAAA,EACA,OAAO,GAAG,SAAS,SAAS,QAAQ;AAAA;AAKrC,eAAsB,uBAAuB,CAC5C,IACA,WACgC;AAAA,EAChC,IAAI,QAAQ,GACV,WAAW,sBAAsB,EACjC,UAAU,EACV,MAAM,UAAU,MAAM,SAAS,EAC/B,QAAQ,cAAc,MAAM;AAAA,EAE9B,IAAI,WAAW,QAAQ;AAAA,IACtB,QAAQ,MAAM,MAAM,cAAc,MAAM,SAAS;AAAA,EAClD;AAAA,EAEA,OAAO,MAAM,MAAM,QAAQ;AAAA;AAG5B,eAAsB,qBAAqB,CAC1C,IACA,MACA,WACqC;AAAA,EACrC,IAAI,QAAQ,GACV,WAAW,sBAAsB,EACjC,UAAU,EACV,MAAM,QAAQ,KAAK,IAAI;AAAA,EAEzB,IAAI,WAAW,QAAQ;AAAA,IACtB,QAAQ,MAAM,MAAM,cAAc,MAAM,SAAS;AAAA,EAClD;AAAA,EAEA,OAAQ,MAAM,MAAM,iBAAiB,KAAM;AAAA;AAG5C,eAAsB,wBAAwB,CAC7C,IACA,MAY8B;AAAA,EAC9B,MAAM,WAAW,MAAM,GACrB,WAAW,sBAAsB,EACjC,UAAU,EACV,MAAM,QAAQ,KAAK,KAAK,IAAI,EAC5B,MAAM,cAAc,KAAK,KAAK,QAAQ,EACtC,iBAAiB;AAAA,EAEnB,IAAI,UAAU;AAAA,IACb,IACC,KAAK,oBAAoB,aACzB,SAAS,YAAY,KAAK,iBACzB;AAAA,MACD,MAAM,IAAI,qBAAqB,SAAS,SAAS,KAAK,eAAe;AAAA,IACtE;AAAA,IAEA,MAAM,cAAc,UAAU,SAAS,OAAO;AAAA,IAE9C,OAAO,MAAM,GACX,YAAY,sBAAsB,EAClC,IAAI;AAAA,MACJ,cAAc,KAAK;AAAA,MACnB,gBAAgB,MAAM,KAAK,aAAa;AAAA,MACxC,cAAc,KAAK;AAAA,MACnB,aAAa,KAAK,cAAc,SAAS;AAAA,MACzC,gBAAgB,KAAK,gBACjB,MAAM,KAAK,aAAa,IACzB;AAAA,MACH,YAAY,KAAK,aAAa;AAAA,MAC9B,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,YAAY,IAAI;AAAA,IACjB,CAAC,EACA,MAAM,MAAM,KAAK,SAAS,EAAE,EAC5B,aAAa,EACb,wBAAwB;AAAA,EAC3B;AAAA,EAEA,OAAO,MAAM,GACX,WAAW,sBAAsB,EACjC,OAAO;AAAA,IACP,MAAM,KAAK;AAAA,IACX,cAAc,KAAK;AAAA,IACnB,gBAAgB,MAAM,KAAK,aAAa;AAAA,IACxC,cAAc,KAAK;AAAA,IACnB,aAAa,KAAK,cAAc;AAAA,IAChC,YAAY,KAAK;AAAA,IACjB,YAAY,KAAK,aAAa;AAAA,IAC9B,gBAAgB,KAAK,gBACjB,MAAM,KAAK,aAAa,IACzB;AAAA,IACH,YAAY,KAAK,aAAa;AAAA,IAC9B,SAAS;AAAA,EACV,CAAC,EACA,aAAa,EACb,wBAAwB;AAAA;AAG3B,eAAsB,oBAAoB,CACzC,IACA,MACA,UACA,QACgB;AAAA,EAChB,MAAM,GACJ,YAAY,sBAAsB,EAClC,IAAI,EAAE,QAAQ,YAAY,IAAI,KAAO,CAAC,EACtC,MAAM,QAAQ,KAAK,IAAI,EACvB,MAAM,cAAc,KAAK,QAAQ,EACjC,QAAQ;AAAA;AAGX,eAAsB,wBAAwB,CAC7C,IACA,MACA,UACgB;AAAA,EAChB,MAAM,GACJ,YAAY,sBAAsB,EAClC,IAAI,EAAE,QAAQ,WAAW,YAAY,IAAI,KAAO,CAAC,EACjD,MAAM,QAAQ,KAAK,IAAI,EACvB,MAAM,cAAc,KAAK,QAAQ,EACjC,QAAQ;AAAA;AAKX,eAAsB,iBAAiB,CACtC,IACA,MAMuB;AAAA,EACvB,OAAO,MAAM,GACX,WAAW,eAAe,EAC1B,OAAO;AAAA,IACP,eAAe,KAAK;AAAA,IACpB,cAAc,KAAK;AAAA,IACnB,cAAc,KAAK,cACf,MAAM,KAAK,WAAW,IACvB;AAAA,IACH,WAAW,KAAK,YAAY;AAAA,EAC7B,CAAC,EACA,aAAa,EACb,wBAAwB;AAAA;AAG3B,eAAsB,cAAc,CACnC,IACA,OAC8B;AAAA,EAC9B,OACE,MAAM,GACL,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,MAAM,KAAK,KAAK,EACtB,iBAAiB,KAAM;AAAA;AAI3B,eAAsB,gBAAgB,CACrC,IACA,cACA,QACyB;AAAA,EACzB,IAAI,QAAQ,GACV,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,iBAAiB,KAAK,YAAY,EACxC,QAAQ,cAAc,MAAM;AAAA,EAE9B,IAAI,QAAQ,QAAQ;AAAA,IACnB,QAAQ,MAAM,MAAM,UAAU,KAAK,OAAO,MAAM;AAAA,EACjD;AAAA,EAEA,QAAQ,MAAM,MAAM,QAAQ,SAAS,EAAE;AAAA,EAEvC,IAAI,QAAQ,QAAQ;AAAA,IACnB,QAAQ,MAAM,OAAO,OAAO,MAAM;AAAA,EACnC;AAAA,EAEA,OAAO,MAAM,MAAM,QAAQ;AAAA;AAK5B,eAAsB,gBAAgB,CACrC,IACA,OAC0B;AAAA,EAC1B,OAAO,MAAM,GACX,WAAW,gBAAgB,EAC3B,UAAU,EACV,MAAM,UAAU,KAAK,KAAK,EAC1B,QAAQ,cAAc,KAAK,EAC3B,QAAQ;AAAA;",
-  "debugId": "A3CE9B539936424A64756E2164756E21",
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAOO,SAAS,KAAK,CAAC,OAAqC;AAAA,EAC1D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAC1C,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CACxC,EAAE,QAAQ,MAAM,IAAI;AAAA,EACpB,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;;;AC3BZ,IAAM,aAAa;AAAA,EACzB,kBAAkB;AAAA,EAClB,gBAAgB;AAAA,EAChB,sBAAsB;AAAA,EACtB,qBAAqB;AAAA,EACrB,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,kBAAkB;AAAA,EAClB,WAAW;AAAA,EAEX,aAAa;AAAA,EACb,eAAe;AAAA,EACf,kBAAkB;AAAA,EAClB,uBAAuB;AAAA,EACvB,iBAAiB;AAClB;AAAA;AAKO,MAAM,yBAAyB,MAAM;AAAA,EACpC;AAAA,EACS;AAAA,EAEhB,WAAW,CAAC,MAAiB,SAAiB,OAAiB;AAAA,IAC9D,MAAM,OAAO;AAAA,IACb,KAAK,OAAO;AAAA,IACZ,KAAK,QAAQ;AAAA,IACb,KAAK,OAAO,KAAK,YAAY;AAAA,IAC7B,MAAM,oBAAoB,MAAM,KAAK,WAAW;AAAA;AAAA,EAGjD,MAAM,GAMJ;AAAA,IACD,OAAO;AAAA,MACN,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,SAAS,KAAK;AAAA,MACd,OAAO,KAAK;AAAA,MACZ,OAAO,KAAK;AAAA,IACb;AAAA;AAEF;AAAA;AAEO,MAAM,sBAAsB,iBAAiB;AAAA,EACnD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,aAAa,OAAO;AAAA;AAE5B;AAAA;AAEO,MAAM,wBAAwB,iBAAiB;AAAA,EACrD,WAAW,CAAC,SAAiB,OAAiB;AAAA,IAC7C,MAAM,oBAAoB,SAAS,KAAK;AAAA;AAE1C;AAAA;AAEO,MAAM,sBAAsB,iBAAiB;AAAA,EACnD,WAAW,CAAC,SAAiB,OAAiB;AAAA,IAC7C,MAAM,kBAAkB,SAAS,KAAK;AAAA;AAExC;AAAA;AAEO,MAAM,4BAA4B,iBAAiB;AAAA,EACzD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,wBAAwB,OAAO;AAAA;AAEvC;AAAA;AAEO,MAAM,2BAA2B,iBAAiB;AAAA,EACxD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,uBAAuB,OAAO;AAAA;AAEtC;AAAA;AAEO,MAAM,uBAAuB,iBAAiB;AAAA,EACpD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,oBAAoB,OAAO;AAAA;AAEnC;AAAA;AAEO,MAAM,uBAAuB,iBAAiB;AAAA,EACpD,WAAW,CAAC,UAAU,aAAa;AAAA,IAClC,MAAM,aAAa,OAAO;AAAA;AAE5B;AAAA;AAEO,MAAM,6BAA6B,iBAAiB;AAAA,EACnD;AAAA,EACA;AAAA,EAEP,WAAW,CAAC,gBAAwB,iBAAyB;AAAA,IAC5D,MACC,oBACA,8BAA8B,4BAA4B,gBAC3D;AAAA,IACA,KAAK,iBAAiB;AAAA,IACtB,KAAK,kBAAkB;AAAA;AAEzB;AAAA;AAEO,MAAM,wBAAwB,iBAAiB;AAAA,EACrD,WAAW,CAAC,UAAU,0BAA0B;AAAA,IAC/C,MAAM,eAAe,OAAO;AAAA;AAE9B;AAAA;AAEO,MAAM,0BAA0B,iBAAiB;AAAA,EACvD,WAAW,CAAC,SAAiB;AAAA,IAC5B,MAAM,iBAAiB,OAAO;AAAA;AAEhC;AAAA;AAEO,MAAM,6BAA6B,iBAAiB;AAAA,EAC1D,WAAW,CAAC,UAAU,yBAAyB;AAAA,IAC9C,MAAM,oBAAoB,OAAO;AAAA;AAEnC;AAkBO,IAAM,iBAGT;AAAA,EACH,sBAAsB;AAAA,EACtB,qBAAqB;AAAA,EACrB,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,WAAW;AAAA,EACX,kBAAkB;AAAA,EAClB,aAAa;AAAA,EACb,eAAe;AAAA,EACf,kBAAkB;AAAA,EAClB,uBAAuB;AAAA,EACvB,iBAAiB;AAClB;AAEO,SAAS,eAAe,CAAC,KAAsB;AAAA,EACrD,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA;;;AClJhD,SAAS,SAAS,CAAC,SAAyB;AAAA,EAClD,MAAM,QAAQ,QAAQ,MAAM,GAAG;AAAA,EAC/B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,OAAO,OAAO,OAAO,SAAS,MAAM,IAAI,CAAC,MAAM,OAAO,SAAS,GAAG,EAAE,CAAC;AAAA,EACrE,IACC,OAAO,MAAM,KAAK,KAClB,OAAO,MAAM,KAAK,KAClB,OAAO,MAAM,KAAK,KAClB,UAAU,aACV,UAAU,aACV,UAAU,WACT;AAAA,IACD,OAAO;AAAA,EACR;AAAA,EACA,OAAO,GAAG,SAAS,SAAS,QAAQ;AAAA;AAKrC,eAAsB,uBAAuB,CAC5C,IACA,WACgC;AAAA,EAChC,IAAI,QAAQ,GACV,WAAW,sBAAsB,EACjC,UAAU,EACV,MAAM,UAAU,MAAM,SAAS,EAC/B,QAAQ,cAAc,MAAM;AAAA,EAE9B,IAAI,WAAW,QAAQ;AAAA,IACtB,QAAQ,MAAM,MAAM,cAAc,MAAM,SAAS;AAAA,EAClD;AAAA,EAEA,OAAO,MAAM,MAAM,QAAQ;AAAA;AAG5B,eAAsB,qBAAqB,CAC1C,IACA,MACA,WACqC;AAAA,EACrC,IAAI,QAAQ,GACV,WAAW,sBAAsB,EACjC,UAAU,EACV,MAAM,QAAQ,KAAK,IAAI;AAAA,EAEzB,IAAI,WAAW,QAAQ;AAAA,IACtB,QAAQ,MAAM,MAAM,cAAc,MAAM,SAAS;AAAA,EAClD;AAAA,EAEA,OAAQ,MAAM,MAAM,iBAAiB,KAAM;AAAA;AAG5C,eAAsB,wBAAwB,CAC7C,IACA,MAY8B;AAAA,EAC9B,MAAM,WAAW,MAAM,GACrB,WAAW,sBAAsB,EACjC,UAAU,EACV,MAAM,QAAQ,KAAK,KAAK,IAAI,EAC5B,MAAM,cAAc,KAAK,KAAK,QAAQ,EACtC,iBAAiB;AAAA,EAEnB,IAAI,UAAU;AAAA,IACb,IACC,KAAK,oBAAoB,aACzB,SAAS,YAAY,KAAK,iBACzB;AAAA,MACD,MAAM,IAAI,qBAAqB,SAAS,SAAS,KAAK,eAAe;AAAA,IACtE;AAAA,IAEA,MAAM,cAAc,UAAU,SAAS,OAAO;AAAA,IAE9C,OAAO,MAAM,GACX,YAAY,sBAAsB,EAClC,IAAI;AAAA,MACJ,cAAc,KAAK;AAAA,MACnB,gBAAgB,MAAM,KAAK,aAAa;AAAA,MACxC,cAAc,KAAK;AAAA,MACnB,aAAa,KAAK,cAAc,SAAS;AAAA,MACzC,gBAAgB,KAAK,gBACjB,MAAM,KAAK,aAAa,IACzB;AAAA,MACH,YAAY,KAAK,aAAa;AAAA,MAC9B,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,YAAY,IAAI;AAAA,IACjB,CAAC,EACA,MAAM,MAAM,KAAK,SAAS,EAAE,EAC5B,aAAa,EACb,wBAAwB;AAAA,EAC3B;AAAA,EAEA,OAAO,MAAM,GACX,WAAW,sBAAsB,EACjC,OAAO;AAAA,IACP,MAAM,KAAK;AAAA,IACX,cAAc,KAAK;AAAA,IACnB,gBAAgB,MAAM,KAAK,aAAa;AAAA,IACxC,cAAc,KAAK;AAAA,IACnB,aAAa,KAAK,cAAc;AAAA,IAChC,YAAY,KAAK;AAAA,IACjB,YAAY,KAAK,aAAa;AAAA,IAC9B,gBAAgB,KAAK,gBACjB,MAAM,KAAK,aAAa,IACzB;AAAA,IACH,YAAY,KAAK,aAAa;AAAA,IAC9B,SAAS;AAAA,EACV,CAAC,EACA,aAAa,EACb,wBAAwB;AAAA;AAG3B,eAAsB,oBAAoB,CACzC,IACA,MACA,UACA,QACgB;AAAA,EAChB,MAAM,GACJ,YAAY,sBAAsB,EAClC,IAAI,EAAE,QAAQ,YAAY,IAAI,KAAO,CAAC,EACtC,MAAM,QAAQ,KAAK,IAAI,EACvB,MAAM,cAAc,KAAK,QAAQ,EACjC,QAAQ;AAAA;AAGX,eAAsB,wBAAwB,CAC7C,IACA,MACA,UACgB;AAAA,EAChB,MAAM,GACJ,YAAY,sBAAsB,EAClC,IAAI,EAAE,QAAQ,WAAW,YAAY,IAAI,KAAO,CAAC,EACjD,MAAM,QAAQ,KAAK,IAAI,EACvB,MAAM,cAAc,KAAK,QAAQ,EACjC,QAAQ;AAAA;AAKX,eAAsB,iBAAiB,CACtC,IACA,MAMuB;AAAA,EACvB,OAAO,MAAM,GACX,WAAW,eAAe,EAC1B,OAAO;AAAA,IACP,eAAe,KAAK;AAAA,IACpB,cAAc,KAAK;AAAA,IACnB,cAAc,KAAK,cACf,MAAM,KAAK,WAAW,IACvB;AAAA,IACH,WAAW,KAAK,YAAY;AAAA,EAC7B,CAAC,EACA,aAAa,EACb,wBAAwB;AAAA;AAG3B,eAAsB,cAAc,CACnC,IACA,OAC8B;AAAA,EAC9B,OACE,MAAM,GACL,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,MAAM,KAAK,KAAK,EACtB,iBAAiB,KAAM;AAAA;AAI3B,eAAsB,gBAAgB,CACrC,IACA,cACA,QACyB;AAAA,EACzB,IAAI,QAAQ,GACV,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,iBAAiB,KAAK,YAAY,EACxC,QAAQ,cAAc,MAAM;AAAA,EAE9B,IAAI,QAAQ,QAAQ;AAAA,IACnB,QAAQ,MAAM,MAAM,UAAU,KAAK,OAAO,MAAM;AAAA,EACjD;AAAA,EAEA,QAAQ,MAAM,MAAM,QAAQ,SAAS,EAAE;AAAA,EAEvC,IAAI,QAAQ,QAAQ;AAAA,IACnB,QAAQ,MAAM,OAAO,OAAO,MAAM;AAAA,EACnC;AAAA,EAEA,OAAO,MAAM,MAAM,QAAQ;AAAA;AAK5B,eAAsB,gBAAgB,CACrC,IACA,OAC0B;AAAA,EAC1B,OAAO,MAAM,GACX,WAAW,gBAAgB,EAC3B,UAAU,EACV,MAAM,UAAU,KAAK,KAAK,EAC1B,QAAQ,cAAc,KAAK,EAC3B,QAAQ;AAAA;",
+  "debugId": "E33493756835BCAB64756E2164756E21",
   "names": []
 }