@secondlayer/shared 3.0.0-alpha.0 → 3.0.0-beta.2

package/dist/src/crypto/secrets.js

@@ -14,15 +14,59 @@ var __export = (target, all) => {
     });
 };
 
+// src/mode.ts
+var VALID_MODES = ["oss", "dedicated", "platform"];
+function getInstanceMode() {
+  const raw = process.env.INSTANCE_MODE?.trim().toLowerCase();
+  if (raw && VALID_MODES.includes(raw)) {
+    return raw;
+  }
+  return "oss";
+}
+function isPlatformMode() {
+  return getInstanceMode() === "platform";
+}
+function isOssMode() {
+  return getInstanceMode() === "oss";
+}
+function isDedicatedMode() {
+  return getInstanceMode() === "dedicated";
+}
+
 // src/crypto/secrets.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import { appendFileSync, existsSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
 var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
 var IV_LEN = 12;
 var TAG_LEN = 16;
+function bootstrapOssKey() {
+  const envPath = resolve(process.cwd(), ".env.local");
+  if (existsSync(envPath)) {
+    const contents = readFileSync(envPath, "utf8");
+    const match = contents.match(/^SECONDLAYER_SECRETS_KEY=([a-fA-F0-9]{64})/m);
+    if (match) {
+      process.env[KEY_ENV] = match[1];
+      return match[1];
+    }
+  }
+  const hex = randomBytes(32).toString("hex");
+  const line = `${existsSync(envPath) ? `
+` : ""}${KEY_ENV}=${hex}
+`;
+  appendFileSync(envPath, line, { mode: 384 });
+  process.env[KEY_ENV] = hex;
+  console.log(`[secondlayer] generated ${KEY_ENV}; saved to ${envPath} (mode 0600)`);
+  return hex;
+}
 function loadKey() {
-  const hex = process.env[KEY_ENV];
+  let hex = process.env[KEY_ENV];
   if (!hex) {
-    throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+    if (getInstanceMode() === "oss") {
+      hex = bootstrapOssKey();
+    } else {
+      throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+    }
   }
   const key = Buffer.from(hex, "hex");
   if (key.length !== 32) {
@@ -65,5 +109,5 @@ export {
   decryptSecret
 };
 
-//# debugId=0FD7F496A1099A3864756E2164756E21
+//# debugId=982B15A94DFBA98464756E2164756E21
 //# sourceMappingURL=secrets.js.map

package/dist/src/crypto/secrets.js.map

@@ -1,10 +1,11 @@
 {
   "version": 3,
-  "sources": ["../src/crypto/secrets.ts"],
+  "sources": ["../src/mode.ts", "../src/crypto/secrets.ts"],
   "sourcesContent": [
-    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\n/**\n * AES-256-GCM symmetric envelope for workflow signer secrets.\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. Callers must\n * load + cache the key once per process. Rotation strategy: when a customer\n * wants to rotate keys, re-encrypt all rows with the new key and swap the\n * env var. Not zero-downtime, but acceptable at v2 scale.\n *\n * For real KMS (AWS KMS, HashiCorp Vault, GCP KMS), wrap the same byte\n * layout behind an `EncryptSecret` / `DecryptSecret` interface in the\n * runner and swap the implementation at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction loadKey(): Buffer {\n\tconst hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tthrow new Error(\n\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t);\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n"
+    "/**\n * Instance modes for the Secondlayer platform.\n *\n * - `oss`: self-hosted, single-tenant. No auth middleware, no platform routes\n *   (projects, admin, workflows). Everything runs against a single\n *   `DATABASE_URL`. Intended for `docker compose up`.\n *\n * - `dedicated`: per-customer managed instance. JWT-based auth (anon =\n *   read-only, service = full). Dual-DB mode — shared source indexer DB for\n *   block reads, per-tenant target DB for subgraph data. No platform-wide\n *   routes mounted (no cross-tenant accounts).\n *\n * - `platform`: control-plane mode. Magic-link auth, API keys, projects,\n *   tenants, admin. Serves the dashboard + CLI against a single shared DB.\n */\n\nexport type InstanceMode = \"oss\" | \"dedicated\" | \"platform\";\n\nconst VALID_MODES: readonly InstanceMode[] = [\"oss\", \"dedicated\", \"platform\"];\n\n/**\n * Resolve the active instance mode from `process.env.INSTANCE_MODE`.\n * Defaults to `\"oss\"` — the safest default for self-hosters who deploy\n * without setting the variable.\n */\nexport function getInstanceMode(): InstanceMode {\n\tconst raw = process.env.INSTANCE_MODE?.trim().toLowerCase();\n\tif (raw && (VALID_MODES as readonly string[]).includes(raw)) {\n\t\treturn raw as InstanceMode;\n\t}\n\treturn \"oss\";\n}\n\n/** True when the active mode is `\"platform\"` (shared multi-tenant). */\nexport function isPlatformMode(): boolean {\n\treturn getInstanceMode() === \"platform\";\n}\n\n/** True when the active mode is `\"oss\"` (self-hosted). */\nexport function isOssMode(): boolean {\n\treturn getInstanceMode() === \"oss\";\n}\n\n/** True when the active mode is `\"dedicated\"` (per-tenant managed). */\nexport function isDedicatedMode(): boolean {\n\treturn getInstanceMode() === \"dedicated\";\n}\n",
+    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\nimport { appendFileSync, existsSync, readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\nimport { getInstanceMode } from \"../mode.ts\";\n\n/**\n * AES-256-GCM symmetric envelope for encrypted secrets at rest (tenant keys,\n * subscription signing secrets, etc.).\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. In OSS mode,\n * if the env var is unset on first use we autogenerate a key and persist it\n * to `.env.local` in the current working directory so subsequent restarts\n * pick it up without user intervention. Dedicated/platform modes throw —\n * those runtimes must provision the key explicitly.\n *\n * Rotation strategy: re-encrypt all rows with the new key and swap the env\n * var. Not zero-downtime, but acceptable at v2 scale. For real KMS (AWS\n * KMS, Vault, GCP KMS), wrap the same byte layout behind an\n * `EncryptSecret`/`DecryptSecret` interface and swap at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction bootstrapOssKey(): string {\n\tconst envPath = resolve(process.cwd(), \".env.local\");\n\n\t// Check existing .env.local first — prior run may have written it.\n\tif (existsSync(envPath)) {\n\t\tconst contents = readFileSync(envPath, \"utf8\");\n\t\tconst match = contents.match(/^SECONDLAYER_SECRETS_KEY=([a-fA-F0-9]{64})/m);\n\t\tif (match) {\n\t\t\tprocess.env[KEY_ENV] = match[1];\n\t\t\treturn match[1];\n\t\t}\n\t}\n\n\tconst hex = randomBytes(32).toString(\"hex\");\n\tconst line = `${existsSync(envPath) ? \"\\n\" : \"\"}${KEY_ENV}=${hex}\\n`;\n\tappendFileSync(envPath, line, { mode: 0o600 });\n\tprocess.env[KEY_ENV] = hex;\n\tconsole.log(\n\t\t`[secondlayer] generated ${KEY_ENV}; saved to ${envPath} (mode 0600)`,\n\t);\n\treturn hex;\n}\n\nfunction loadKey(): Buffer {\n\tlet hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tif (getInstanceMode() === \"oss\") {\n\t\t\thex = bootstrapOssKey();\n\t\t} else {\n\t\t\tthrow new Error(\n\t\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t\t);\n\t\t}\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n"
   ],
-  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAiBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,OAAO,GAAW;AAAA,EAC1B,MAAM,MAAM,QAAQ,IAAI;AAAA,EACxB,IAAI,CAAC,KAAK;AAAA,IACT,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA,EACD;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;",
-  "debugId": "0FD7F496A1099A3864756E2164756E21",
+  "mappings": ";;;;;;;;;;;;;;;;;AAkBA,IAAM,cAAuC,CAAC,OAAO,aAAa,UAAU;AAOrE,SAAS,eAAe,GAAiB;AAAA,EAC/C,MAAM,MAAM,QAAQ,IAAI,eAAe,KAAK,EAAE,YAAY;AAAA,EAC1D,IAAI,OAAQ,YAAkC,SAAS,GAAG,GAAG;AAAA,IAC5D,OAAO;AAAA,EACR;AAAA,EACA,OAAO;AAAA;AAID,SAAS,cAAc,GAAY;AAAA,EACzC,OAAO,gBAAgB,MAAM;AAAA;AAIvB,SAAS,SAAS,GAAY;AAAA,EACpC,OAAO,gBAAgB,MAAM;AAAA;AAIvB,SAAS,eAAe,GAAY;AAAA,EAC1C,OAAO,gBAAgB,MAAM;AAAA;;;AC7C9B;AACA;AACA;AAqBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,eAAe,GAAW;AAAA,EAClC,MAAM,UAAU,QAAQ,QAAQ,IAAI,GAAG,YAAY;AAAA,EAGnD,IAAI,WAAW,OAAO,GAAG;AAAA,IACxB,MAAM,WAAW,aAAa,SAAS,MAAM;AAAA,IAC7C,MAAM,QAAQ,SAAS,MAAM,6CAA6C;AAAA,IAC1E,IAAI,OAAO;AAAA,MACV,QAAQ,IAAI,WAAW,MAAM;AAAA,MAC7B,OAAO,MAAM;AAAA,IACd;AAAA,EACD;AAAA,EAEA,MAAM,MAAM,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,EAC1C,MAAM,OAAO,GAAG,WAAW,OAAO,IAAI;AAAA,IAAO,KAAK,WAAW;AAAA;AAAA,EAC7D,eAAe,SAAS,MAAM,EAAE,MAAM,IAAM,CAAC;AAAA,EAC7C,QAAQ,IAAI,WAAW;AAAA,EACvB,QAAQ,IACP,2BAA2B,qBAAqB,qBACjD;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,OAAO,GAAW;AAAA,EAC1B,IAAI,MAAM,QAAQ,IAAI;AAAA,EACtB,IAAI,CAAC,KAAK;AAAA,IACT,IAAI,gBAAgB,MAAM,OAAO;AAAA,MAChC,MAAM,gBAAgB;AAAA,IACvB,EAAO;AAAA,MACN,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA;AAAA,EAEF;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,YAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;",
+  "debugId": "982B15A94DFBA98464756E2164756E21",
   "names": []
 }

package/dist/src/crypto/standard-webhooks.d.ts

@@ -0,0 +1,33 @@
+/**
+* Standard Webhooks signing helpers — https://standardwebhooks.com
+*
+* Produces the three headers that every Standard Webhooks receiver expects:
+*   webhook-id         — UUID identifying the delivery (used for dedup)
+*   webhook-timestamp  — unix seconds, receiver rejects if skew > tolerance
+*   webhook-signature  — space-separated list of `vN,<base64-hmac>` tuples
+*
+* The signed content is `{id}.{timestamp}.{body}`. The HMAC key is the raw
+* bytes of the secret. If the secret is a `whsec_`-prefixed base64 string
+* (the Svix convention) we base64-decode after stripping the prefix;
+* otherwise we use the UTF-8 bytes directly.
+*/
+interface StandardWebhooksHeaders {
+	"webhook-id": string;
+	"webhook-timestamp": string;
+	"webhook-signature": string;
+}
+interface SignOptions {
+	/** Override the delivery id. Defaults to a random UUID v4. */
+	id?: string;
+	/** Override the timestamp (unix seconds). Defaults to `Date.now()`. */
+	timestampSeconds?: number;
+}
+declare function sign(body: string, secret: string, opts?: SignOptions): StandardWebhooksHeaders;
+interface VerifyOptions {
+	/** Max clock skew in seconds. Default 5 minutes per spec. */
+	toleranceSeconds?: number;
+	/** Current time in unix seconds. Injectable for testing. */
+	nowSeconds?: number;
+}
+declare function verify(body: string, headers: StandardWebhooksHeaders | Record<string, string | string[] | undefined>, secret: string, opts?: VerifyOptions): boolean;
+export { verify, sign, VerifyOptions, StandardWebhooksHeaders, SignOptions };

package/dist/src/crypto/standard-webhooks.js

@@ -0,0 +1,77 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/crypto/standard-webhooks.ts
+import { createHmac, randomUUID } from "node:crypto";
+function secretToKey(secret) {
+  if (secret.startsWith("whsec_")) {
+    return Buffer.from(secret.slice("whsec_".length), "base64");
+  }
+  return Buffer.from(secret, "utf8");
+}
+function sign(body, secret, opts = {}) {
+  const id = opts.id ?? randomUUID();
+  const timestamp = String(opts.timestampSeconds ?? Math.floor(Date.now() / 1000));
+  const toSign = `${id}.${timestamp}.${body}`;
+  const key = secretToKey(secret);
+  const signature = createHmac("sha256", key).update(toSign).digest("base64");
+  return {
+    "webhook-id": id,
+    "webhook-timestamp": timestamp,
+    "webhook-signature": `v1,${signature}`
+  };
+}
+function verify(body, headers, secret, opts = {}) {
+  const pick = (k) => {
+    const v = headers[k];
+    return typeof v === "string" ? v : undefined;
+  };
+  const id = pick("webhook-id");
+  const timestamp = pick("webhook-timestamp");
+  const sigHeader = pick("webhook-signature");
+  if (!id || !timestamp || !sigHeader)
+    return false;
+  const ts = Number.parseInt(timestamp, 10);
+  if (!Number.isFinite(ts))
+    return false;
+  const tolerance = opts.toleranceSeconds ?? 5 * 60;
+  const now = opts.nowSeconds ?? Math.floor(Date.now() / 1000);
+  if (Math.abs(now - ts) > tolerance)
+    return false;
+  const key = secretToKey(secret);
+  const expected = createHmac("sha256", key).update(`${id}.${timestamp}.${body}`).digest("base64");
+  for (const part of sigHeader.split(" ")) {
+    const [version, sig] = part.split(",", 2);
+    if (version !== "v1" || !sig)
+      continue;
+    if (sig.length !== expected.length)
+      continue;
+    let diff = 0;
+    for (let i = 0;i < sig.length; i++) {
+      diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);
+    }
+    if (diff === 0)
+      return true;
+  }
+  return false;
+}
+export {
+  verify,
+  sign
+};
+
+//# debugId=AE46F7E38D913C0D64756E2164756E21
+//# sourceMappingURL=standard-webhooks.js.map

package/dist/src/crypto/standard-webhooks.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/standard-webhooks.ts"],
+  "sourcesContent": [
+    "import { createHmac, randomUUID } from \"node:crypto\";\n\n/**\n * Standard Webhooks signing helpers — https://standardwebhooks.com\n *\n * Produces the three headers that every Standard Webhooks receiver expects:\n *   webhook-id         — UUID identifying the delivery (used for dedup)\n *   webhook-timestamp  — unix seconds, receiver rejects if skew > tolerance\n *   webhook-signature  — space-separated list of `vN,<base64-hmac>` tuples\n *\n * The signed content is `{id}.{timestamp}.{body}`. The HMAC key is the raw\n * bytes of the secret. If the secret is a `whsec_`-prefixed base64 string\n * (the Svix convention) we base64-decode after stripping the prefix;\n * otherwise we use the UTF-8 bytes directly.\n */\n\nexport interface StandardWebhooksHeaders {\n\t\"webhook-id\": string;\n\t\"webhook-timestamp\": string;\n\t\"webhook-signature\": string;\n}\n\nexport interface SignOptions {\n\t/** Override the delivery id. Defaults to a random UUID v4. */\n\tid?: string;\n\t/** Override the timestamp (unix seconds). Defaults to `Date.now()`. */\n\ttimestampSeconds?: number;\n}\n\nfunction secretToKey(secret: string): Buffer {\n\tif (secret.startsWith(\"whsec_\")) {\n\t\treturn Buffer.from(secret.slice(\"whsec_\".length), \"base64\");\n\t}\n\treturn Buffer.from(secret, \"utf8\");\n}\n\nexport function sign(\n\tbody: string,\n\tsecret: string,\n\topts: SignOptions = {},\n): StandardWebhooksHeaders {\n\tconst id = opts.id ?? randomUUID();\n\tconst timestamp = String(\n\t\topts.timestampSeconds ?? Math.floor(Date.now() / 1000),\n\t);\n\tconst toSign = `${id}.${timestamp}.${body}`;\n\tconst key = secretToKey(secret);\n\tconst signature = createHmac(\"sha256\", key).update(toSign).digest(\"base64\");\n\treturn {\n\t\t\"webhook-id\": id,\n\t\t\"webhook-timestamp\": timestamp,\n\t\t\"webhook-signature\": `v1,${signature}`,\n\t};\n}\n\nexport interface VerifyOptions {\n\t/** Max clock skew in seconds. Default 5 minutes per spec. */\n\ttoleranceSeconds?: number;\n\t/** Current time in unix seconds. Injectable for testing. */\n\tnowSeconds?: number;\n}\n\nexport function verify(\n\tbody: string,\n\theaders:\n\t\t| StandardWebhooksHeaders\n\t\t| Record<string, string | string[] | undefined>,\n\tsecret: string,\n\topts: VerifyOptions = {},\n): boolean {\n\tconst pick = (k: string) => {\n\t\tconst v = (headers as Record<string, unknown>)[k];\n\t\treturn typeof v === \"string\" ? v : undefined;\n\t};\n\tconst id = pick(\"webhook-id\");\n\tconst timestamp = pick(\"webhook-timestamp\");\n\tconst sigHeader = pick(\"webhook-signature\");\n\tif (!id || !timestamp || !sigHeader) return false;\n\n\tconst ts = Number.parseInt(timestamp, 10);\n\tif (!Number.isFinite(ts)) return false;\n\tconst tolerance = opts.toleranceSeconds ?? 5 * 60;\n\tconst now = opts.nowSeconds ?? Math.floor(Date.now() / 1000);\n\tif (Math.abs(now - ts) > tolerance) return false;\n\n\tconst key = secretToKey(secret);\n\tconst expected = createHmac(\"sha256\", key)\n\t\t.update(`${id}.${timestamp}.${body}`)\n\t\t.digest(\"base64\");\n\n\t// webhook-signature can carry multiple versions: \"v1,abc v1a,def\"\n\tfor (const part of sigHeader.split(\" \")) {\n\t\tconst [version, sig] = part.split(\",\", 2);\n\t\tif (version !== \"v1\" || !sig) continue;\n\t\tif (sig.length !== expected.length) continue;\n\t\tlet diff = 0;\n\t\tfor (let i = 0; i < sig.length; i++) {\n\t\t\tdiff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);\n\t\t}\n\t\tif (diff === 0) return true;\n\t}\n\treturn false;\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AA6BA,SAAS,WAAW,CAAC,QAAwB;AAAA,EAC5C,IAAI,OAAO,WAAW,QAAQ,GAAG;AAAA,IAChC,OAAO,OAAO,KAAK,OAAO,MAAM,SAAS,MAAM,GAAG,QAAQ;AAAA,EAC3D;AAAA,EACA,OAAO,OAAO,KAAK,QAAQ,MAAM;AAAA;AAG3B,SAAS,IAAI,CACnB,MACA,QACA,OAAoB,CAAC,GACK;AAAA,EAC1B,MAAM,KAAK,KAAK,MAAM,WAAW;AAAA,EACjC,MAAM,YAAY,OACjB,KAAK,oBAAoB,KAAK,MAAM,KAAK,IAAI,IAAI,IAAI,CACtD;AAAA,EACA,MAAM,SAAS,GAAG,MAAM,aAAa;AAAA,EACrC,MAAM,MAAM,YAAY,MAAM;AAAA,EAC9B,MAAM,YAAY,WAAW,UAAU,GAAG,EAAE,OAAO,MAAM,EAAE,OAAO,QAAQ;AAAA,EAC1E,OAAO;AAAA,IACN,cAAc;AAAA,IACd,qBAAqB;AAAA,IACrB,qBAAqB,MAAM;AAAA,EAC5B;AAAA;AAUM,SAAS,MAAM,CACrB,MACA,SAGA,QACA,OAAsB,CAAC,GACb;AAAA,EACV,MAAM,OAAO,CAAC,MAAc;AAAA,IAC3B,MAAM,IAAK,QAAoC;AAAA,IAC/C,OAAO,OAAO,MAAM,WAAW,IAAI;AAAA;AAAA,EAEpC,MAAM,KAAK,KAAK,YAAY;AAAA,EAC5B,MAAM,YAAY,KAAK,mBAAmB;AAAA,EAC1C,MAAM,YAAY,KAAK,mBAAmB;AAAA,EAC1C,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;AAAA,IAAW,OAAO;AAAA,EAE5C,MAAM,KAAK,OAAO,SAAS,WAAW,EAAE;AAAA,EACxC,IAAI,CAAC,OAAO,SAAS,EAAE;AAAA,IAAG,OAAO;AAAA,EACjC,MAAM,YAAY,KAAK,oBAAoB,IAAI;AAAA,EAC/C,MAAM,MAAM,KAAK,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,IAAI;AAAA,EAC3D,IAAI,KAAK,IAAI,MAAM,EAAE,IAAI;AAAA,IAAW,OAAO;AAAA,EAE3C,MAAM,MAAM,YAAY,MAAM;AAAA,EAC9B,MAAM,WAAW,WAAW,UAAU,GAAG,EACvC,OAAO,GAAG,MAAM,aAAa,MAAM,EACnC,OAAO,QAAQ;AAAA,EAGjB,WAAW,QAAQ,UAAU,MAAM,GAAG,GAAG;AAAA,IACxC,OAAO,SAAS,OAAO,KAAK,MAAM,KAAK,CAAC;AAAA,IACxC,IAAI,YAAY,QAAQ,CAAC;AAAA,MAAK;AAAA,IAC9B,IAAI,IAAI,WAAW,SAAS;AAAA,MAAQ;AAAA,IACpC,IAAI,OAAO;AAAA,IACX,SAAS,IAAI,EAAG,IAAI,IAAI,QAAQ,KAAK;AAAA,MACpC,QAAQ,IAAI,WAAW,CAAC,IAAI,SAAS,WAAW,CAAC;AAAA,IAClD;AAAA,IACA,IAAI,SAAS;AAAA,MAAG,OAAO;AAAA,EACxB;AAAA,EACA,OAAO;AAAA;",
+  "debugId": "AE46F7E38D913C0D64756E2164756E21",
+  "names": []
+}

package/dist/src/db/index.d.ts

@@ -295,6 +295,9 @@ interface Database {
 	tenant_compute_addons: TenantComputeAddonsTable;
 	account_spend_caps: AccountSpendCapsTable;
 	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
 }
 type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
 interface TenantsTable {
@@ -434,6 +437,76 @@ type InsertChatSession = Insertable<ChatSessionsTable>;
 type UpdateChatSession = Updateable<ChatSessionsTable>;
 type ChatMessage = Selectable<ChatMessagesTable>;
 type InsertChatMessage = Insertable<ChatMessagesTable>;
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type Subscription = Selectable<SubscriptionsTable>;
+type InsertSubscription = Insertable<SubscriptionsTable>;
+type UpdateSubscription = Updateable<SubscriptionsTable>;
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+type SubscriptionOutbox = Selectable<SubscriptionOutboxTable>;
+type InsertSubscriptionOutbox = Insertable<SubscriptionOutboxTable>;
+type UpdateSubscriptionOutbox = Updateable<SubscriptionOutboxTable>;
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
+type SubscriptionDelivery = Selectable<SubscriptionDeliveriesTable>;
+type InsertSubscriptionDelivery = Insertable<SubscriptionDeliveriesTable>;
 import { sql } from "kysely";
 /**
 * Kysely instance for the SOURCE DB (block/tx/event reads from the shared
@@ -459,4 +532,4 @@ declare function getDb(connectionString?: string): Kysely<Database>;
 declare function getRawClient(role?: "source" | "target"): ReturnType<typeof postgres>;
 /** Close all DB connection pools. Call in CLI commands to allow process exit. */
 declare function closeDb(): Promise<void>;
-export { sql, parseJsonb, jsonb, getTargetDb, getSourceDb, getRawClient, getDb, closeDb, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateTransaction, UpdateTenantUsageMonthly, UpdateTenantComputeAddon, UpdateTenant, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, UpdateAccountSpendCap, TransactionsTable, Transaction, TenantsTable, TenantUsageMonthlyTable, TenantUsageMonthly, TenantStatus, TenantComputeAddonsTable, TenantComputeAddon, Tenant, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProvisioningAuditStatus, ProvisioningAuditLogTable, ProvisioningAuditLog, ProvisioningAuditEvent, ProjectsTable, Project, MagicLinksTable, MagicLink, InsertTransaction, InsertTenantUsageMonthly, InsertTenantComputeAddon, InsertTenant, InsertTeamMember, InsertTeamInvitation, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProvisioningAuditLog, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountSpendCap, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountSpendCapsTable, AccountSpendCap, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { sql, parseJsonb, jsonb, getTargetDb, getSourceDb, getRawClient, getDb, closeDb, WaitlistTable, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateTransaction, UpdateTenantUsageMonthly, UpdateTenantComputeAddon, UpdateTenant, UpdateSubscriptionOutbox, UpdateSubscription, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateChatSession, UpdateBlock, UpdateApiKey, UpdateAccountSpendCap, TransactionsTable, Transaction, TenantsTable, TenantUsageMonthlyTable, TenantUsageMonthly, TenantStatus, TenantComputeAddonsTable, TenantComputeAddon, Tenant, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubscriptionsTable, SubscriptionStatus, SubscriptionRuntime, SubscriptionOutboxTable, SubscriptionOutbox, SubscriptionFormat, SubscriptionDelivery, SubscriptionDeliveriesTable, Subscription, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ProvisioningAuditStatus, ProvisioningAuditLogTable, ProvisioningAuditLog, ProvisioningAuditEvent, ProjectsTable, Project, OutboxStatus, MagicLinksTable, MagicLink, InsertTransaction, InsertTenantUsageMonthly, InsertTenantComputeAddon, InsertTenant, InsertTeamMember, InsertTeamInvitation, InsertSubscriptionOutbox, InsertSubscriptionDelivery, InsertSubscription, InsertSubgraphUsageDaily, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProvisioningAuditLog, InsertProject, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountSpendCap, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, Event, Database, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountSpendCapsTable, AccountSpendCap, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/db/queries/account-spend-caps.d.ts

@@ -277,6 +277,9 @@ interface Database {
 	tenant_compute_addons: TenantComputeAddonsTable;
 	account_spend_caps: AccountSpendCapsTable;
 	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
 }
 type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
 interface TenantsTable {
@@ -356,6 +359,68 @@ interface ProvisioningAuditLogTable {
 	error: string | null;
 	created_at: Generated<Date>;
 }
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
 /**
 * Spend-cap state for an account. Both the metering crons (check + set
 * frozen_at) and the dashboard (read + update caps) call through here.

package/dist/src/db/queries/account-usage.d.ts

@@ -277,6 +277,9 @@ interface Database {
 	tenant_compute_addons: TenantComputeAddonsTable;
 	account_spend_caps: AccountSpendCapsTable;
 	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
 }
 type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
 interface TenantsTable {
@@ -354,6 +357,68 @@ interface ProvisioningAuditLogTable {
 	error: string | null;
 	created_at: Generated<Date>;
 }
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
 interface SparklinePoint {
 	day: string;
 	value: number;

package/dist/src/db/queries/accounts.d.ts

@@ -278,6 +278,9 @@ interface Database {
 	tenant_compute_addons: TenantComputeAddonsTable;
 	account_spend_caps: AccountSpendCapsTable;
 	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
 }
 type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
 interface TenantsTable {
@@ -356,6 +359,68 @@ interface ProvisioningAuditLogTable {
 	created_at: Generated<Date>;
 }
 type Account = Selectable<AccountsTable>;
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
 declare function upsertAccount(db: Kysely<Database>, email: string): Promise<Account>;
 declare function getAccountById(db: Kysely<Database>, id: string): Promise<Account | null>;
 declare function updateAccountProfile(db: Kysely<Database>, id: string, data: {

package/dist/src/db/queries/integrity.d.ts

@@ -277,6 +277,9 @@ interface Database {
 	tenant_compute_addons: TenantComputeAddonsTable;
 	account_spend_caps: AccountSpendCapsTable;
 	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
 }
 type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
 interface TenantsTable {
@@ -354,6 +357,68 @@ interface ProvisioningAuditLogTable {
 	error: string | null;
 	created_at: Generated<Date>;
 }
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
 interface Gap {
 	gapStart: number;
 	gapEnd: number;