@secondlayer/shared 2.1.0 → 3.0.0-beta.1

package/README.md

@@ -24,10 +24,11 @@ DATABASE_URL=... bun run migrate
 |------|-------------|
 | `@secondlayer/shared` | Core utilities |
 | `@secondlayer/shared/db` | Kysely database layer |
-| `@secondlayer/shared/db/queries/*` | Query helpers (integrity, accounts, usage, subgraphs, marketplace, projects, subgraph-gaps, workflows) |
+| `@secondlayer/shared/db/queries/*` | Query helpers (integrity, accounts, usage, subgraphs, projects, subgraph-gaps, tenants, provisioning-audit) |
 | `@secondlayer/shared/db/schema` | Database schema |
 | `@secondlayer/shared/db/jsonb` | JSONB helpers |
 | `@secondlayer/shared/schemas` | Zod schemas |
+| `@secondlayer/shared/schemas/accounts` | Account profile schemas |
 | `@secondlayer/shared/schemas/filters` | Event filter schemas |
 | `@secondlayer/shared/schemas/subgraphs` | Subgraph schemas |
 | `@secondlayer/shared/types` | Shared TypeScript types |
@@ -38,4 +39,3 @@ DATABASE_URL=... bun run migrate
 | `@secondlayer/shared/crypto` | HMAC signing |
 | `@secondlayer/shared/node` | Stacks node client |
 | `@secondlayer/shared/node/hiro-pg-client` | Direct PG queries against Hiro DB |
-| `@secondlayer/shared/lib/plans` | Plan definitions |

package/dist/src/crypto/secrets.js

@@ -14,15 +14,59 @@ var __export = (target, all) => {
     });
 };
 
+// src/mode.ts
+var VALID_MODES = ["oss", "dedicated", "platform"];
+function getInstanceMode() {
+  const raw = process.env.INSTANCE_MODE?.trim().toLowerCase();
+  if (raw && VALID_MODES.includes(raw)) {
+    return raw;
+  }
+  return "oss";
+}
+function isPlatformMode() {
+  return getInstanceMode() === "platform";
+}
+function isOssMode() {
+  return getInstanceMode() === "oss";
+}
+function isDedicatedMode() {
+  return getInstanceMode() === "dedicated";
+}
+
 // src/crypto/secrets.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import { appendFileSync, existsSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
 var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
 var IV_LEN = 12;
 var TAG_LEN = 16;
+function bootstrapOssKey() {
+  const envPath = resolve(process.cwd(), ".env.local");
+  if (existsSync(envPath)) {
+    const contents = readFileSync(envPath, "utf8");
+    const match = contents.match(/^SECONDLAYER_SECRETS_KEY=([a-fA-F0-9]{64})/m);
+    if (match) {
+      process.env[KEY_ENV] = match[1];
+      return match[1];
+    }
+  }
+  const hex = randomBytes(32).toString("hex");
+  const line = `${existsSync(envPath) ? `
+` : ""}${KEY_ENV}=${hex}
+`;
+  appendFileSync(envPath, line, { mode: 384 });
+  process.env[KEY_ENV] = hex;
+  console.log(`[secondlayer] generated ${KEY_ENV}; saved to ${envPath} (mode 0600)`);
+  return hex;
+}
 function loadKey() {
-  const hex = process.env[KEY_ENV];
+  let hex = process.env[KEY_ENV];
   if (!hex) {
-    throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+    if (getInstanceMode() === "oss") {
+      hex = bootstrapOssKey();
+    } else {
+      throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+    }
   }
   const key = Buffer.from(hex, "hex");
   if (key.length !== 32) {
@@ -65,5 +109,5 @@ export {
   decryptSecret
 };
 
-//# debugId=0FD7F496A1099A3864756E2164756E21
+//# debugId=982B15A94DFBA98464756E2164756E21
 //# sourceMappingURL=secrets.js.map

package/dist/src/crypto/secrets.js.map

@@ -1,10 +1,11 @@
 {
   "version": 3,
-  "sources": ["../src/crypto/secrets.ts"],
+  "sources": ["../src/mode.ts", "../src/crypto/secrets.ts"],
   "sourcesContent": [
-    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\n/**\n * AES-256-GCM symmetric envelope for workflow signer secrets.\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. Callers must\n * load + cache the key once per process. Rotation strategy: when a customer\n * wants to rotate keys, re-encrypt all rows with the new key and swap the\n * env var. Not zero-downtime, but acceptable at v2 scale.\n *\n * For real KMS (AWS KMS, HashiCorp Vault, GCP KMS), wrap the same byte\n * layout behind an `EncryptSecret` / `DecryptSecret` interface in the\n * runner and swap the implementation at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction loadKey(): Buffer {\n\tconst hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tthrow new Error(\n\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t);\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n"
+    "/**\n * Instance modes for the Secondlayer platform.\n *\n * - `oss`: self-hosted, single-tenant. No auth middleware, no platform routes\n *   (projects, admin, workflows). Everything runs against a single\n *   `DATABASE_URL`. Intended for `docker compose up`.\n *\n * - `dedicated`: per-customer managed instance. JWT-based auth (anon =\n *   read-only, service = full). Dual-DB mode — shared source indexer DB for\n *   block reads, per-tenant target DB for subgraph data. No platform-wide\n *   routes mounted (no cross-tenant accounts).\n *\n * - `platform`: control-plane mode. Magic-link auth, API keys, projects,\n *   tenants, admin. Serves the dashboard + CLI against a single shared DB.\n */\n\nexport type InstanceMode = \"oss\" | \"dedicated\" | \"platform\";\n\nconst VALID_MODES: readonly InstanceMode[] = [\"oss\", \"dedicated\", \"platform\"];\n\n/**\n * Resolve the active instance mode from `process.env.INSTANCE_MODE`.\n * Defaults to `\"oss\"` — the safest default for self-hosters who deploy\n * without setting the variable.\n */\nexport function getInstanceMode(): InstanceMode {\n\tconst raw = process.env.INSTANCE_MODE?.trim().toLowerCase();\n\tif (raw && (VALID_MODES as readonly string[]).includes(raw)) {\n\t\treturn raw as InstanceMode;\n\t}\n\treturn \"oss\";\n}\n\n/** True when the active mode is `\"platform\"` (shared multi-tenant). */\nexport function isPlatformMode(): boolean {\n\treturn getInstanceMode() === \"platform\";\n}\n\n/** True when the active mode is `\"oss\"` (self-hosted). */\nexport function isOssMode(): boolean {\n\treturn getInstanceMode() === \"oss\";\n}\n\n/** True when the active mode is `\"dedicated\"` (per-tenant managed). */\nexport function isDedicatedMode(): boolean {\n\treturn getInstanceMode() === \"dedicated\";\n}\n",
+    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\nimport { appendFileSync, existsSync, readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\nimport { getInstanceMode } from \"../mode.ts\";\n\n/**\n * AES-256-GCM symmetric envelope for encrypted secrets at rest (tenant keys,\n * subscription signing secrets, etc.).\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. In OSS mode,\n * if the env var is unset on first use we autogenerate a key and persist it\n * to `.env.local` in the current working directory so subsequent restarts\n * pick it up without user intervention. Dedicated/platform modes throw —\n * those runtimes must provision the key explicitly.\n *\n * Rotation strategy: re-encrypt all rows with the new key and swap the env\n * var. Not zero-downtime, but acceptable at v2 scale. For real KMS (AWS\n * KMS, Vault, GCP KMS), wrap the same byte layout behind an\n * `EncryptSecret`/`DecryptSecret` interface and swap at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction bootstrapOssKey(): string {\n\tconst envPath = resolve(process.cwd(), \".env.local\");\n\n\t// Check existing .env.local first — prior run may have written it.\n\tif (existsSync(envPath)) {\n\t\tconst contents = readFileSync(envPath, \"utf8\");\n\t\tconst match = contents.match(/^SECONDLAYER_SECRETS_KEY=([a-fA-F0-9]{64})/m);\n\t\tif (match) {\n\t\t\tprocess.env[KEY_ENV] = match[1];\n\t\t\treturn match[1];\n\t\t}\n\t}\n\n\tconst hex = randomBytes(32).toString(\"hex\");\n\tconst line = `${existsSync(envPath) ? \"\\n\" : \"\"}${KEY_ENV}=${hex}\\n`;\n\tappendFileSync(envPath, line, { mode: 0o600 });\n\tprocess.env[KEY_ENV] = hex;\n\tconsole.log(\n\t\t`[secondlayer] generated ${KEY_ENV}; saved to ${envPath} (mode 0600)`,\n\t);\n\treturn hex;\n}\n\nfunction loadKey(): Buffer {\n\tlet hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tif (getInstanceMode() === \"oss\") {\n\t\t\thex = bootstrapOssKey();\n\t\t} else {\n\t\t\tthrow new Error(\n\t\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t\t);\n\t\t}\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAiBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,OAAO,GAAW;AAAA,EAC1B,MAAM,MAAM,QAAQ,IAAI;AAAA,EACxB,IAAI,CAAC,KAAK;AAAA,IACT,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA,EACD;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;",
-  "debugId": "0FD7F496A1099A3864756E2164756E21",
+  "mappings": ";;;;;;;;;;;;;;;;;AAkBA,IAAM,cAAuC,CAAC,OAAO,aAAa,UAAU;AAOrE,SAAS,eAAe,GAAiB;AAAA,EAC/C,MAAM,MAAM,QAAQ,IAAI,eAAe,KAAK,EAAE,YAAY;AAAA,EAC1D,IAAI,OAAQ,YAAkC,SAAS,GAAG,GAAG;AAAA,IAC5D,OAAO;AAAA,EACR;AAAA,EACA,OAAO;AAAA;AAID,SAAS,cAAc,GAAY;AAAA,EACzC,OAAO,gBAAgB,MAAM;AAAA;AAIvB,SAAS,SAAS,GAAY;AAAA,EACpC,OAAO,gBAAgB,MAAM;AAAA;AAIvB,SAAS,eAAe,GAAY;AAAA,EAC1C,OAAO,gBAAgB,MAAM;AAAA;;;AC7C9B;AACA;AACA;AAqBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,eAAe,GAAW;AAAA,EAClC,MAAM,UAAU,QAAQ,QAAQ,IAAI,GAAG,YAAY;AAAA,EAGnD,IAAI,WAAW,OAAO,GAAG;AAAA,IACxB,MAAM,WAAW,aAAa,SAAS,MAAM;AAAA,IAC7C,MAAM,QAAQ,SAAS,MAAM,6CAA6C;AAAA,IAC1E,IAAI,OAAO;AAAA,MACV,QAAQ,IAAI,WAAW,MAAM;AAAA,MAC7B,OAAO,MAAM;AAAA,IACd;AAAA,EACD;AAAA,EAEA,MAAM,MAAM,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,EAC1C,MAAM,OAAO,GAAG,WAAW,OAAO,IAAI;AAAA,IAAO,KAAK,WAAW;AAAA;AAAA,EAC7D,eAAe,SAAS,MAAM,EAAE,MAAM,IAAM,CAAC;AAAA,EAC7C,QAAQ,IAAI,WAAW;AAAA,EACvB,QAAQ,IACP,2BAA2B,qBAAqB,qBACjD;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,OAAO,GAAW;AAAA,EAC1B,IAAI,MAAM,QAAQ,IAAI;AAAA,EACtB,IAAI,CAAC,KAAK;AAAA,IACT,IAAI,gBAAgB,MAAM,OAAO;AAAA,MAChC,MAAM,gBAAgB;AAAA,IACvB,EAAO;AAAA,MACN,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA;AAAA,EAEF;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;",
+  "debugId": "982B15A94DFBA98464756E2164756E21",
   "names": []
 }

package/dist/src/db/index.d.ts

@@ -3,8 +3,12 @@ import { RawBuilder } from "kysely";
 * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.
 * Kysely + postgres.js double-encodes JSON when using parameterized queries
 * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.
+*
+* Generic parameter lets callers set the RawBuilder's output type so they
+* don't need to cast at the insert site. Default is `unknown` — widen at
+* the call site when the column type is narrower, e.g. `jsonb<MyShape>(...)`.
 */
-declare function jsonb(value: unknown): RawBuilder<unknown>;
+declare function jsonb<T = unknown>(value: T): RawBuilder<T>;
 /**
 * Safely parse a JSONB value from the database.
 * Handles double-encoded strings where postgres.js returns a JSON string
@@ -74,10 +78,6 @@ interface SubgraphsTable {
 	handler_code: string | null;
 	source_code: string | null;
 	project_id: string | null;
-	is_public: Generated<boolean>;
-	tags: Generated<string[]>;
-	description: string | null;
-	forked_from_id: string | null;
 	created_at: Generated<Date>;
 	updated_at: Generated<Date>;
 }
@@ -112,6 +112,7 @@ interface AccountsTable {
 	bio: string | null;
 	avatar_url: string | null;
 	slug: string | null;
+	stripe_customer_id: string | null;
 	created_at: Generated<Date>;
 }
 interface SessionsTable {
@@ -137,6 +138,7 @@ interface MagicLinksTable {
 }
 interface UsageDailyTable {
 	account_id: string;
+	tenant_id: string | null;
 	date: string;
 	api_requests: Generated<number>;
 	deliveries: Generated<number>;
@@ -263,83 +265,6 @@ interface ChatMessagesTable {
 	metadata: unknown | null;
 	created_at: Generated<Date>;
 }
-interface WorkflowDefinitionsTable {
-	id: Generated<string>;
-	name: string;
-	version: Generated<string>;
-	status: Generated<string>;
-	trigger_type: string;
-	trigger_config: unknown;
-	handler_path: string;
-	source_code: string | null;
-	retries_config: unknown | null;
-	timeout_ms: number | null;
-	api_key_id: string;
-	project_id: string | null;
-	created_at: Generated<Date>;
-	updated_at: Generated<Date>;
-}
-interface WorkflowRunsTable {
-	id: Generated<string>;
-	definition_id: string;
-	status: Generated<string>;
-	trigger_type: string;
-	trigger_data: unknown | null;
-	dedup_key: string | null;
-	error: string | null;
-	started_at: Date | null;
-	completed_at: Date | null;
-	duration_ms: number | null;
-	total_ai_tokens: Generated<number>;
-	created_at: Generated<Date>;
-}
-interface WorkflowStepsTable {
-	id: Generated<string>;
-	run_id: string;
-	step_index: number;
-	step_id: string;
-	step_type: string;
-	status: Generated<string>;
-	input: unknown | null;
-	output: unknown | null;
-	error: string | null;
-	retry_count: Generated<number>;
-	ai_tokens_used: Generated<number>;
-	started_at: Date | null;
-	completed_at: Date | null;
-	duration_ms: number | null;
-	memo_key: string | null;
-	parent_step_id: string | null;
-	created_at: Generated<Date>;
-}
-interface WorkflowQueueTable {
-	id: Generated<string>;
-	run_id: string;
-	status: Generated<string>;
-	attempts: Generated<number>;
-	max_attempts: Generated<number>;
-	scheduled_for: Generated<Date>;
-	locked_at: Date | null;
-	locked_by: string | null;
-	error: string | null;
-	created_at: Generated<Date>;
-	completed_at: Date | null;
-}
-interface WorkflowSchedulesTable {
-	id: Generated<string>;
-	definition_id: string;
-	cron_expr: string;
-	timezone: Generated<string>;
-	next_run_at: Date;
-	last_run_at: Date | null;
-	enabled: Generated<boolean>;
-	created_at: Generated<Date>;
-}
-interface WorkflowCursorsTable {
-	name: string;
-	block_height: Generated<number>;
-	updated_at: Generated<Date>;
-}
 interface Database {
 	blocks: BlocksTable;
 	transactions: TransactionsTable;
@@ -365,17 +290,14 @@ interface Database {
 	team_invitations: TeamInvitationsTable;
 	chat_sessions: ChatSessionsTable;
 	chat_messages: ChatMessagesTable;
-	workflow_definitions: WorkflowDefinitionsTable;
-	workflow_runs: WorkflowRunsTable;
-	workflow_steps: WorkflowStepsTable;
-	workflow_queue: WorkflowQueueTable;
-	workflow_schedules: WorkflowSchedulesTable;
-	workflow_cursors: WorkflowCursorsTable;
-	workflow_signer_secrets: WorkflowSignerSecretsTable;
-	workflow_budgets: WorkflowBudgetsTable;
 	tenants: TenantsTable;
 	tenant_usage_monthly: TenantUsageMonthlyTable;
+	tenant_compute_addons: TenantComputeAddonsTable;
+	account_spend_caps: AccountSpendCapsTable;
 	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
 }
 type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
 interface TenantsTable {
@@ -397,9 +319,9 @@ interface TenantsTable {
 	service_key_enc: Buffer;
 	api_url_internal: string;
 	api_url_public: string;
-	trial_ends_at: Date;
 	suspended_at: Date | null;
 	last_health_check_at: Date | null;
+	last_active_at: Generated<Date>;
 	service_gen: Generated<number>;
 	anon_gen: Generated<number>;
 	project_id: string | null;
@@ -423,6 +345,34 @@ interface TenantUsageMonthlyTable {
 type TenantUsageMonthly = Selectable<TenantUsageMonthlyTable>;
 type InsertTenantUsageMonthly = Insertable<TenantUsageMonthlyTable>;
 type UpdateTenantUsageMonthly = Updateable<TenantUsageMonthlyTable>;
+interface TenantComputeAddonsTable {
+	id: Generated<string>;
+	tenant_id: string;
+	memory_mb_delta: Generated<number>;
+	cpu_delta: Generated<number | string>;
+	storage_mb_delta: Generated<number>;
+	effective_from: Generated<Date>;
+	effective_until: Date | null;
+	stripe_subscription_item_id: string | null;
+	created_at: Generated<Date>;
+}
+type TenantComputeAddon = Selectable<TenantComputeAddonsTable>;
+type InsertTenantComputeAddon = Insertable<TenantComputeAddonsTable>;
+type UpdateTenantComputeAddon = Updateable<TenantComputeAddonsTable>;
+interface AccountSpendCapsTable {
+	account_id: string;
+	monthly_cap_cents: number | null;
+	compute_cap_cents: number | null;
+	storage_cap_cents: number | null;
+	ai_cap_cents: number | null;
+	alert_threshold_pct: Generated<number>;
+	alert_sent_at: Date | null;
+	frozen_at: Date | null;
+	updated_at: Generated<Date>;
+}
+type AccountSpendCap = Selectable<AccountSpendCapsTable>;
+type InsertAccountSpendCap = Insertable<AccountSpendCapsTable>;
+type UpdateAccountSpendCap = Updateable<AccountSpendCapsTable>;
 type ProvisioningAuditEvent = "provision.start" | "provision.success" | "provision.failure" | "suspend" | "resume" | "resize" | "keys.rotate" | "bastion.key.upload" | "bastion.key.revoke" | "teardown";
 type ProvisioningAuditStatus = "ok" | "error";
 interface ProvisioningAuditLogTable {
@@ -439,30 +389,6 @@ interface ProvisioningAuditLogTable {
 }
 type ProvisioningAuditLog = Selectable<ProvisioningAuditLogTable>;
 type InsertProvisioningAuditLog = Insertable<ProvisioningAuditLogTable>;
-interface WorkflowBudgetsTable {
-	id: Generated<string>;
-	workflow_definition_id: string;
-	/** Period key: "daily:YYYY-MM-DD" | "weekly:YYYY-Www" | "per-run:<uuid>". */
-	period: string;
-	ai_usd_used: Generated<string>;
-	ai_tokens_used: Generated<string>;
-	chain_microstx_used: Generated<string>;
-	chain_tx_count: Generated<number>;
-	run_count: Generated<number>;
-	step_count: Generated<number>;
-	reset_at: Date;
-	created_at: Generated<Date>;
-	updated_at: Generated<Date>;
-}
-interface WorkflowSignerSecretsTable {
-	id: Generated<string>;
-	account_id: string;
-	name: string;
-	/** AES-GCM ciphertext bytes produced by the runner's KMS on write. */
-	encrypted_value: Buffer;
-	created_at: Generated<Date>;
-	updated_at: Generated<Date>;
-}
 type Block = Selectable<BlocksTable>;
 type InsertBlock = Insertable<BlocksTable>;
 type UpdateBlock = Updateable<BlocksTable>;
@@ -499,27 +425,6 @@ type SubgraphGap = Selectable<SubgraphGapsTable>;
 type InsertSubgraphGap = Insertable<SubgraphGapsTable>;
 type SubgraphUsageDaily = Selectable<SubgraphUsageDailyTable>;
 type InsertSubgraphUsageDaily = Insertable<SubgraphUsageDailyTable>;
-type WorkflowDefinition = Selectable<WorkflowDefinitionsTable>;
-type InsertWorkflowDefinition = Insertable<WorkflowDefinitionsTable>;
-type UpdateWorkflowDefinition = Updateable<WorkflowDefinitionsTable>;
-type WorkflowRun = Selectable<WorkflowRunsTable>;
-type InsertWorkflowRun = Insertable<WorkflowRunsTable>;
-type UpdateWorkflowRun = Updateable<WorkflowRunsTable>;
-type WorkflowStep = Selectable<WorkflowStepsTable>;
-type InsertWorkflowStep = Insertable<WorkflowStepsTable>;
-type UpdateWorkflowStep = Updateable<WorkflowStepsTable>;
-type WorkflowQueueItem = Selectable<WorkflowQueueTable>;
-type InsertWorkflowQueueItem = Insertable<WorkflowQueueTable>;
-type WorkflowSchedule = Selectable<WorkflowSchedulesTable>;
-type InsertWorkflowSchedule = Insertable<WorkflowSchedulesTable>;
-type UpdateWorkflowSchedule = Updateable<WorkflowSchedulesTable>;
-type WorkflowCursor = Selectable<WorkflowCursorsTable>;
-type WorkflowSignerSecret = Selectable<WorkflowSignerSecretsTable>;
-type InsertWorkflowSignerSecret = Insertable<WorkflowSignerSecretsTable>;
-type UpdateWorkflowSignerSecret = Updateable<WorkflowSignerSecretsTable>;
-type WorkflowBudget = Selectable<WorkflowBudgetsTable>;
-type InsertWorkflowBudget = Insertable<WorkflowBudgetsTable>;
-type UpdateWorkflowBudget = Updateable<WorkflowBudgetsTable>;
 type Project = Selectable<ProjectsTable>;
 type InsertProject = Insertable<ProjectsTable>;
 type UpdateProject = Updateable<ProjectsTable>;
@@ -532,6 +437,76 @@ type InsertChatSession = Insertable<ChatSessionsTable>;
 type UpdateChatSession = Updateable<ChatSessionsTable>;
 type ChatMessage = Selectable<ChatMessagesTable>;
 type InsertChatMessage = Insertable<ChatMessagesTable>;
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type Subscription = Selectable<SubscriptionsTable>;
+type InsertSubscription = Insertable<SubscriptionsTable>;
+type UpdateSubscription = Updateable<SubscriptionsTable>;
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+type SubscriptionOutbox = Selectable<SubscriptionOutboxTable>;
+type InsertSubscriptionOutbox = Insertable<SubscriptionOutboxTable>;
+type UpdateSubscriptionOutbox = Updateable<SubscriptionOutboxTable>;
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
+type SubscriptionDelivery = Selectable<SubscriptionDeliveriesTable>;
+type InsertSubscriptionDelivery = Insertable<SubscriptionDeliveriesTable>;
 import { sql } from "kysely";
 /**
 * Kysely instance for the SOURCE DB (block/tx/event reads from the shared
@@ -557,4 +532,4 @@ declare function getDb(connectionString?: string): Kysely<Database>;
 declare function getRawClient(role?: "source" | "target"): ReturnType<typeof postgres>;
 /** Close all DB connection pools. Call in CLI commands to allow process exit. */
 declare function closeDb(): Promise<void>;
-export { sql, parseJsonb, jsonb, getTargetDb, getSourceDb, getRawClient, getDb, closeDb, WorkflowStepsTable, WorkflowStep, WorkflowSignerSecretsTable, WorkflowSignerSecret, WorkflowSchedulesTable, WorkflowSchedule, WorkflowRunsTable, WorkflowRun, WorkflowQueueTable, WorkflowQueueItem, WorkflowDefinitionsTable, WorkflowDefinition, WorkflowCursorsTable, WorkflowCursor, WorkflowBudgetsTable, WorkflowBudget, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateWorkflowStep, UpdateWorkflowSignerSecret, UpdateWorkflowSchedule, UpdateWorkflowRun, UpdateWorkflowDefinition, UpdateWorkflowBudget, UpdateTransaction, UpdateTenantUsageMonthly, UpdateTenant, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, TransactionsTable, Transaction, TenantsTable, TenantUsageMonthlyTable, TenantUsageMonthly, TenantStatus, Tenant, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProvisioningAuditStatus, ProvisioningAuditLogTable, ProvisioningAuditLog, ProvisioningAuditEvent, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertWorkflowStep, InsertWorkflowSignerSecret, InsertWorkflowSchedule, InsertWorkflowRun, InsertWorkflowQueueItem, InsertWorkflowDefinition, InsertWorkflowBudget, InsertTransaction, InsertTenantUsageMonthly, InsertTenant, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProvisioningAuditLog, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { sql, parseJsonb, jsonb, getTargetDb, getSourceDb, getRawClient, getDb, closeDb, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateTransaction, UpdateTenantUsageMonthly, UpdateTenantComputeAddon, UpdateTenant, UpdateSubscriptionOutbox, UpdateSubscription, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, UpdateAccountSpendCap, TransactionsTable, Transaction, TenantsTable, TenantUsageMonthlyTable, TenantUsageMonthly, TenantStatus, TenantComputeAddonsTable, TenantComputeAddon, Tenant, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubscriptionsTable, SubscriptionStatus, SubscriptionRuntime, SubscriptionOutboxTable, SubscriptionOutbox, SubscriptionFormat, SubscriptionDelivery, SubscriptionDeliveriesTable, Subscription, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProvisioningAuditStatus, ProvisioningAuditLogTable, ProvisioningAuditLog, ProvisioningAuditEvent, ProjectsTable, Project, OutboxStatus, MagicLinksTable, MagicLink, InsertTransaction, InsertTenantUsageMonthly, InsertTenantComputeAddon, InsertTenant, InsertTeamMember, InsertTeamInvitation, InsertSubscriptionOutbox, InsertSubscriptionDelivery, InsertSubscription, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProvisioningAuditLog, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountSpendCap, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountSpendCapsTable, AccountSpendCap, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/db/index.js.map

@@ -2,10 +2,10 @@
   "version": 3,
   "sources": ["../src/db/jsonb.ts", "../src/db/index.ts"],
   "sourcesContent": [
-    "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n */\nexport function jsonb(value: unknown): RawBuilder<unknown> {\n\tconst escaped = JSON.stringify(value, (_k, v) =>\n\t\ttypeof v === \"bigint\" ? v.toString() : v,\n\t).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n",
+    "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n *\n * Generic parameter lets callers set the RawBuilder's output type so they\n * don't need to cast at the insert site. Default is `unknown` — widen at\n * the call site when the column type is narrower, e.g. `jsonb<MyShape>(...)`.\n */\nexport function jsonb<T = unknown>(value: T): RawBuilder<T> {\n\tconst escaped = JSON.stringify(value, (_k, v) =>\n\t\ttypeof v === \"bigint\" ? v.toString() : v,\n\t).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n",
     "import { Kysely } from \"kysely\";\nimport { PostgresJSDialect } from \"kysely-postgres-js\";\nimport postgres from \"postgres\";\nimport type { Database } from \"./types.ts\";\n\nconst DEFAULT_URL =\n\t\"postgres://postgres:postgres@localhost:5432/secondlayer_dev\";\n\ninterface PoolEntry {\n\tdb: Kysely<Database>;\n\trawClient: ReturnType<typeof postgres>;\n}\n\n/**\n * Cache of Kysely + raw postgres.js pools keyed by resolved URL.\n * Two getters resolving to the same URL share one entry (single pool) —\n * this is the single-DB backward-compat contract: when only `DATABASE_URL`\n * is set, `getSourceDb() === getTargetDb()` (zero regression vs. pre-dual-DB).\n */\nconst pools = new Map<string, PoolEntry>();\n\nfunction resolveSourceUrl(): string {\n\treturn (\n\t\tprocess.env.SOURCE_DATABASE_URL || process.env.DATABASE_URL || DEFAULT_URL\n\t);\n}\n\nfunction resolveTargetUrl(): string {\n\treturn (\n\t\tprocess.env.TARGET_DATABASE_URL || process.env.DATABASE_URL || DEFAULT_URL\n\t);\n}\n\nfunction getOrCreatePool(url: string): PoolEntry {\n\tconst existing = pools.get(url);\n\tif (existing) return existing;\n\n\t// \"Local\" = we skip TLS. Any Docker service alias (single-label hostname\n\t// with no dots) is on an internal network and won't serve TLS.\n\tconst host = (() => {\n\t\ttry {\n\t\t\treturn new URL(url).hostname;\n\t\t} catch {\n\t\t\treturn \"\";\n\t\t}\n\t})();\n\tconst isLocal =\n\t\thost === \"localhost\" || host === \"127.0.0.1\" || !host.includes(\".\");\n\tconst poolMax = Number.parseInt(process.env.DATABASE_POOL_MAX ?? \"20\", 10);\n\tconst rawClient = postgres(url, {\n\t\tmax: poolMax,\n\t\tssl: isLocal\n\t\t\t? undefined\n\t\t\t: {\n\t\t\t\t\trejectUnauthorized: process.env.NODE_TLS_REJECT_UNAUTHORIZED !== \"0\",\n\t\t\t\t},\n\t});\n\tconst db = new Kysely<Database>({\n\t\tdialect: new PostgresJSDialect({ postgres: rawClient }),\n\t});\n\tconst entry: PoolEntry = { db, rawClient };\n\tpools.set(url, entry);\n\treturn entry;\n}\n\n/**\n * Kysely instance for the SOURCE DB (block/tx/event reads from the shared\n * indexer). Resolution: `SOURCE_DATABASE_URL || DATABASE_URL`.\n */\nexport function getSourceDb(): Kysely<Database> {\n\treturn getOrCreatePool(resolveSourceUrl()).db;\n}\n\n/**\n * Kysely instance for the TARGET DB (subgraph schemas, subgraphs table,\n * account-scoped data — tenant-side writes). Resolution:\n * `TARGET_DATABASE_URL || DATABASE_URL`.\n */\nexport function getTargetDb(): Kysely<Database> {\n\treturn getOrCreatePool(resolveTargetUrl()).db;\n}\n\n/**\n * Backward-compat alias for `getTargetDb()`. Accepts an optional\n * `connectionString` override used by seed/test helpers — when supplied,\n * bypasses env resolution and uses the provided URL directly (still cached).\n */\nexport function getDb(connectionString?: string): Kysely<Database> {\n\tif (connectionString) return getOrCreatePool(connectionString).db;\n\treturn getTargetDb();\n}\n\n/**\n * Raw postgres.js client for dynamic schema DDL (CREATE SCHEMA, DROP, etc.).\n * Defaults to the target role (tenant schemas live in the target DB).\n */\nexport function getRawClient(\n\trole: \"source\" | \"target\" = \"target\",\n): ReturnType<typeof postgres> {\n\tconst url = role === \"source\" ? resolveSourceUrl() : resolveTargetUrl();\n\treturn getOrCreatePool(url).rawClient;\n}\n\n/** Close all DB connection pools. Call in CLI commands to allow process exit. */\nexport async function closeDb(): Promise<void> {\n\tfor (const entry of pools.values()) {\n\t\tawait entry.db.destroy();\n\t\tawait entry.rawClient.end();\n\t}\n\tpools.clear();\n}\n\nimport { sql } from \"kysely\";\nexport { sql };\nexport * from \"./types.ts\";\nexport { jsonb, parseJsonb } from \"./jsonb.ts\";\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAOO,SAAS,KAAK,CAAC,OAAqC;AAAA,EAC1D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAC1C,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CACxC,EAAE,QAAQ,MAAM,IAAI;AAAA,EACpB,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;;;AC3BnB;AACA;AACA;AA8GA,gBAAS;AA3GT,IAAM,cACL;AAaD,IAAM,QAAQ,IAAI;AAElB,SAAS,gBAAgB,GAAW;AAAA,EACnC,OACC,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA;AAIjE,SAAS,gBAAgB,GAAW;AAAA,EACnC,OACC,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA;AAIjE,SAAS,eAAe,CAAC,KAAwB;AAAA,EAChD,MAAM,WAAW,MAAM,IAAI,GAAG;AAAA,EAC9B,IAAI;AAAA,IAAU,OAAO;AAAA,EAIrB,MAAM,QAAQ,MAAM;AAAA,IACnB,IAAI;AAAA,MACH,OAAO,IAAI,IAAI,GAAG,EAAE;AAAA,MACnB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,KAEN;AAAA,EACH,MAAM,UACL,SAAS,eAAe,SAAS,eAAe,CAAC,KAAK,SAAS,GAAG;AAAA,EACnE,MAAM,UAAU,OAAO,SAAS,QAAQ,IAAI,qBAAqB,MAAM,EAAE;AAAA,EACzE,MAAM,YAAY,SAAS,KAAK;AAAA,IAC/B,KAAK;AAAA,IACL,KAAK,UACF,YACA;AAAA,MACA,oBAAoB,QAAQ,IAAI,iCAAiC;AAAA,IAClE;AAAA,EACH,CAAC;AAAA,EACD,MAAM,KAAK,IAAI,OAAiB;AAAA,IAC/B,SAAS,IAAI,kBAAkB,EAAE,UAAU,UAAU,CAAC;AAAA,EACvD,CAAC;AAAA,EACD,MAAM,QAAmB,EAAE,IAAI,UAAU;AAAA,EACzC,MAAM,IAAI,KAAK,KAAK;AAAA,EACpB,OAAO;AAAA;AAOD,SAAS,WAAW,GAAqB;AAAA,EAC/C,OAAO,gBAAgB,iBAAiB,CAAC,EAAE;AAAA;AAQrC,SAAS,WAAW,GAAqB;AAAA,EAC/C,OAAO,gBAAgB,iBAAiB,CAAC,EAAE;AAAA;AAQrC,SAAS,KAAK,CAAC,kBAA6C;AAAA,EAClE,IAAI;AAAA,IAAkB,OAAO,gBAAgB,gBAAgB,EAAE;AAAA,EAC/D,OAAO,YAAY;AAAA;AAOb,SAAS,YAAY,CAC3B,OAA4B,UACE;AAAA,EAC9B,MAAM,MAAM,SAAS,WAAW,iBAAiB,IAAI,iBAAiB;AAAA,EACtE,OAAO,gBAAgB,GAAG,EAAE;AAAA;AAI7B,eAAsB,OAAO,GAAkB;AAAA,EAC9C,WAAW,SAAS,MAAM,OAAO,GAAG;AAAA,IACnC,MAAM,MAAM,GAAG,QAAQ;AAAA,IACvB,MAAM,MAAM,UAAU,IAAI;AAAA,EAC3B;AAAA,EACA,MAAM,MAAM;AAAA;",
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAWO,SAAS,KAAkB,CAAC,OAAyB;AAAA,EAC3D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAC1C,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CACxC,EAAE,QAAQ,MAAM,IAAI;AAAA,EACpB,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;;;AC/BnB;AACA;AACA;AA8GA,gBAAS;AA3GT,IAAM,cACL;AAaD,IAAM,QAAQ,IAAI;AAElB,SAAS,gBAAgB,GAAW;AAAA,EACnC,OACC,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA;AAIjE,SAAS,gBAAgB,GAAW;AAAA,EACnC,OACC,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA;AAIjE,SAAS,eAAe,CAAC,KAAwB;AAAA,EAChD,MAAM,WAAW,MAAM,IAAI,GAAG;AAAA,EAC9B,IAAI;AAAA,IAAU,OAAO;AAAA,EAIrB,MAAM,QAAQ,MAAM;AAAA,IACnB,IAAI;AAAA,MACH,OAAO,IAAI,IAAI,GAAG,EAAE;AAAA,MACnB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,KAEN;AAAA,EACH,MAAM,UACL,SAAS,eAAe,SAAS,eAAe,CAAC,KAAK,SAAS,GAAG;AAAA,EACnE,MAAM,UAAU,OAAO,SAAS,QAAQ,IAAI,qBAAqB,MAAM,EAAE;AAAA,EACzE,MAAM,YAAY,SAAS,KAAK;AAAA,IAC/B,KAAK;AAAA,IACL,KAAK,UACF,YACA;AAAA,MACA,oBAAoB,QAAQ,IAAI,iCAAiC;AAAA,IAClE;AAAA,EACH,CAAC;AAAA,EACD,MAAM,KAAK,IAAI,OAAiB;AAAA,IAC/B,SAAS,IAAI,kBAAkB,EAAE,UAAU,UAAU,CAAC;AAAA,EACvD,CAAC;AAAA,EACD,MAAM,QAAmB,EAAE,IAAI,UAAU;AAAA,EACzC,MAAM,IAAI,KAAK,KAAK;AAAA,EACpB,OAAO;AAAA;AAOD,SAAS,WAAW,GAAqB;AAAA,EAC/C,OAAO,gBAAgB,iBAAiB,CAAC,EAAE;AAAA;AAQrC,SAAS,WAAW,GAAqB;AAAA,EAC/C,OAAO,gBAAgB,iBAAiB,CAAC,EAAE;AAAA;AAQrC,SAAS,KAAK,CAAC,kBAA6C;AAAA,EAClE,IAAI;AAAA,IAAkB,OAAO,gBAAgB,gBAAgB,EAAE;AAAA,EAC/D,OAAO,YAAY;AAAA;AAOb,SAAS,YAAY,CAC3B,OAA4B,UACE;AAAA,EAC9B,MAAM,MAAM,SAAS,WAAW,iBAAiB,IAAI,iBAAiB;AAAA,EACtE,OAAO,gBAAgB,GAAG,EAAE;AAAA;AAI7B,eAAsB,OAAO,GAAkB;AAAA,EAC9C,WAAW,SAAS,MAAM,OAAO,GAAG;AAAA,IACnC,MAAM,MAAM,GAAG,QAAQ;AAAA,IACvB,MAAM,MAAM,UAAU,IAAI;AAAA,EAC3B;AAAA,EACA,MAAM,MAAM;AAAA;",
   "debugId": "C0DD7408E000897364756E2164756E21",
   "names": []
 }

package/dist/src/db/jsonb.d.ts

@@ -3,8 +3,12 @@ import { RawBuilder } from "kysely";
 * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.
 * Kysely + postgres.js double-encodes JSON when using parameterized queries
 * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.
+*
+* Generic parameter lets callers set the RawBuilder's output type so they
+* don't need to cast at the insert site. Default is `unknown` — widen at
+* the call site when the column type is narrower, e.g. `jsonb<MyShape>(...)`.
 */
-declare function jsonb(value: unknown): RawBuilder<unknown>;
+declare function jsonb<T = unknown>(value: T): RawBuilder<T>;
 /**
 * Safely parse a JSONB value from the database.
 * Handles double-encoded strings where postgres.js returns a JSON string

package/dist/src/db/jsonb.js.map

@@ -2,9 +2,9 @@
   "version": 3,
   "sources": ["../src/db/jsonb.ts"],
   "sourcesContent": [
-    "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n */\nexport function jsonb(value: unknown): RawBuilder<unknown> {\n\tconst escaped = JSON.stringify(value, (_k, v) =>\n\t\ttypeof v === \"bigint\" ? v.toString() : v,\n\t).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n"
+    "import { type RawBuilder, sql } from \"kysely\";\n\n/**\n * Safely encode a JS value as a JSONB literal for Kysely inserts/updates.\n * Kysely + postgres.js double-encodes JSON when using parameterized queries\n * with ::jsonb casts. This uses sql.raw to inline a properly escaped literal.\n *\n * Generic parameter lets callers set the RawBuilder's output type so they\n * don't need to cast at the insert site. Default is `unknown` — widen at\n * the call site when the column type is narrower, e.g. `jsonb<MyShape>(...)`.\n */\nexport function jsonb<T = unknown>(value: T): RawBuilder<T> {\n\tconst escaped = JSON.stringify(value, (_k, v) =>\n\t\ttypeof v === \"bigint\" ? v.toString() : v,\n\t).replace(/'/g, \"''\");\n\treturn sql`${sql.raw(`'${escaped}'::jsonb`)}`;\n}\n\n/**\n * Safely parse a JSONB value from the database.\n * Handles double-encoded strings where postgres.js returns a JSON string\n * instead of a parsed object.\n */\nexport function parseJsonb<T = unknown>(value: unknown): T {\n\tif (typeof value === \"string\") {\n\t\ttry {\n\t\t\treturn JSON.parse(value) as T;\n\t\t} catch {\n\t\t\treturn value as T;\n\t\t}\n\t}\n\treturn (value ?? {}) as T;\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAOO,SAAS,KAAK,CAAC,OAAqC;AAAA,EAC1D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAC1C,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CACxC,EAAE,QAAQ,MAAM,IAAI;AAAA,EACpB,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;",
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAWO,SAAS,KAAkB,CAAC,OAAyB;AAAA,EAC3D,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC,IAAI,MAC1C,OAAO,MAAM,WAAW,EAAE,SAAS,IAAI,CACxC,EAAE,QAAQ,MAAM,IAAI;AAAA,EACpB,OAAO,MAAM,IAAI,IAAI,IAAI,iBAAiB;AAAA;AAQpC,SAAS,UAAuB,CAAC,OAAmB;AAAA,EAC1D,IAAI,OAAO,UAAU,UAAU;AAAA,IAC9B,IAAI;AAAA,MACH,OAAO,KAAK,MAAM,KAAK;AAAA,MACtB,MAAM;AAAA,MACP,OAAO;AAAA;AAAA,EAET;AAAA,EACA,OAAQ,SAAS,CAAC;AAAA;",
   "debugId": "DA6ABA81E2ABDC7864756E2164756E21",
   "names": []
 }