npm - @secondlayer/shared - Versions diffs - 3.0.0-beta.1 → 3.0.0 - Mend

@secondlayer/shared 3.0.0-beta.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/src/crypto/standard-webhooks.d.ts +33 -0
package/dist/src/crypto/standard-webhooks.js +77 -0
package/dist/src/crypto/standard-webhooks.js.map +10 -0
package/dist/src/db/queries/subscriptions.d.ts +475 -0
package/dist/src/db/queries/subscriptions.js +264 -0
package/dist/src/db/queries/subscriptions.js.map +13 -0
package/package.json +8 -12

package/dist/src/crypto/standard-webhooks.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+* Standard Webhooks signing helpers — https://standardwebhooks.com
+*
+* Produces the three headers that every Standard Webhooks receiver expects:
+*   webhook-id         — UUID identifying the delivery (used for dedup)
+*   webhook-timestamp  — unix seconds, receiver rejects if skew > tolerance
+*   webhook-signature  — space-separated list of `vN,<base64-hmac>` tuples
+*
+* The signed content is `{id}.{timestamp}.{body}`. The HMAC key is the raw
+* bytes of the secret. If the secret is a `whsec_`-prefixed base64 string
+* (the Svix convention) we base64-decode after stripping the prefix;
+* otherwise we use the UTF-8 bytes directly.
+*/
+interface StandardWebhooksHeaders {
+	"webhook-id": string;
+	"webhook-timestamp": string;
+	"webhook-signature": string;
+}
+interface SignOptions {
+	/** Override the delivery id. Defaults to a random UUID v4. */
+	id?: string;
+	/** Override the timestamp (unix seconds). Defaults to `Date.now()`. */
+	timestampSeconds?: number;
+}
+declare function sign(body: string, secret: string, opts?: SignOptions): StandardWebhooksHeaders;
+interface VerifyOptions {
+	/** Max clock skew in seconds. Default 5 minutes per spec. */
+	toleranceSeconds?: number;
+	/** Current time in unix seconds. Injectable for testing. */
+	nowSeconds?: number;
+}
+declare function verify(body: string, headers: StandardWebhooksHeaders | Record<string, string | string[] | undefined>, secret: string, opts?: VerifyOptions): boolean;
+export { verify, sign, VerifyOptions, StandardWebhooksHeaders, SignOptions };

package/dist/src/crypto/standard-webhooks.js ADDED Viewed

@@ -0,0 +1,77 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+// src/crypto/standard-webhooks.ts
+import { createHmac, randomUUID } from "node:crypto";
+function secretToKey(secret) {
+  if (secret.startsWith("whsec_")) {
+    return Buffer.from(secret.slice("whsec_".length), "base64");
+  }
+  return Buffer.from(secret, "utf8");
+}
+function sign(body, secret, opts = {}) {
+  const id = opts.id ?? randomUUID();
+  const timestamp = String(opts.timestampSeconds ?? Math.floor(Date.now() / 1000));
+  const toSign = `${id}.${timestamp}.${body}`;
+  const key = secretToKey(secret);
+  const signature = createHmac("sha256", key).update(toSign).digest("base64");
+  return {
+    "webhook-id": id,
+    "webhook-timestamp": timestamp,
+    "webhook-signature": `v1,${signature}`
+  };
+}
+function verify(body, headers, secret, opts = {}) {
+  const pick = (k) => {
+    const v = headers[k];
+    return typeof v === "string" ? v : undefined;
+  };
+  const id = pick("webhook-id");
+  const timestamp = pick("webhook-timestamp");
+  const sigHeader = pick("webhook-signature");
+  if (!id || !timestamp || !sigHeader)
+    return false;
+  const ts = Number.parseInt(timestamp, 10);
+  if (!Number.isFinite(ts))
+    return false;
+  const tolerance = opts.toleranceSeconds ?? 5 * 60;
+  const now = opts.nowSeconds ?? Math.floor(Date.now() / 1000);
+  if (Math.abs(now - ts) > tolerance)
+    return false;
+  const key = secretToKey(secret);
+  const expected = createHmac("sha256", key).update(`${id}.${timestamp}.${body}`).digest("base64");
+  for (const part of sigHeader.split(" ")) {
+    const [version, sig] = part.split(",", 2);
+    if (version !== "v1" || !sig)
+      continue;
+    if (sig.length !== expected.length)
+      continue;
+    let diff = 0;
+    for (let i = 0;i < sig.length; i++) {
+      diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);
+    }
+    if (diff === 0)
+      return true;
+  }
+  return false;
+}
+export {
+  verify,
+  sign
+};
+//# debugId=AE46F7E38D913C0D64756E2164756E21
+//# sourceMappingURL=standard-webhooks.js.map

package/dist/src/crypto/standard-webhooks.js.map ADDED Viewed

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/standard-webhooks.ts"],
+  "sourcesContent": [
+    "import { createHmac, randomUUID } from \"node:crypto\";\n\n/**\n * Standard Webhooks signing helpers — https://standardwebhooks.com\n *\n * Produces the three headers that every Standard Webhooks receiver expects:\n *   webhook-id         — UUID identifying the delivery (used for dedup)\n *   webhook-timestamp  — unix seconds, receiver rejects if skew > tolerance\n *   webhook-signature  — space-separated list of `vN,<base64-hmac>` tuples\n *\n * The signed content is `{id}.{timestamp}.{body}`. The HMAC key is the raw\n * bytes of the secret. If the secret is a `whsec_`-prefixed base64 string\n * (the Svix convention) we base64-decode after stripping the prefix;\n * otherwise we use the UTF-8 bytes directly.\n */\n\nexport interface StandardWebhooksHeaders {\n\t\"webhook-id\": string;\n\t\"webhook-timestamp\": string;\n\t\"webhook-signature\": string;\n}\n\nexport interface SignOptions {\n\t/** Override the delivery id. Defaults to a random UUID v4. */\n\tid?: string;\n\t/** Override the timestamp (unix seconds). Defaults to `Date.now()`. */\n\ttimestampSeconds?: number;\n}\n\nfunction secretToKey(secret: string): Buffer {\n\tif (secret.startsWith(\"whsec_\")) {\n\t\treturn Buffer.from(secret.slice(\"whsec_\".length), \"base64\");\n\t}\n\treturn Buffer.from(secret, \"utf8\");\n}\n\nexport function sign(\n\tbody: string,\n\tsecret: string,\n\topts: SignOptions = {},\n): StandardWebhooksHeaders {\n\tconst id = opts.id ?? randomUUID();\n\tconst timestamp = String(\n\t\topts.timestampSeconds ?? Math.floor(Date.now() / 1000),\n\t);\n\tconst toSign = `${id}.${timestamp}.${body}`;\n\tconst key = secretToKey(secret);\n\tconst signature = createHmac(\"sha256\", key).update(toSign).digest(\"base64\");\n\treturn {\n\t\t\"webhook-id\": id,\n\t\t\"webhook-timestamp\": timestamp,\n\t\t\"webhook-signature\": `v1,${signature}`,\n\t};\n}\n\nexport interface VerifyOptions {\n\t/** Max clock skew in seconds. Default 5 minutes per spec. */\n\ttoleranceSeconds?: number;\n\t/** Current time in unix seconds. Injectable for testing. */\n\tnowSeconds?: number;\n}\n\nexport function verify(\n\tbody: string,\n\theaders:\n\t\t| StandardWebhooksHeaders\n\t\t| Record<string, string | string[] | undefined>,\n\tsecret: string,\n\topts: VerifyOptions = {},\n): boolean {\n\tconst pick = (k: string) => {\n\t\tconst v = (headers as Record<string, unknown>)[k];\n\t\treturn typeof v === \"string\" ? v : undefined;\n\t};\n\tconst id = pick(\"webhook-id\");\n\tconst timestamp = pick(\"webhook-timestamp\");\n\tconst sigHeader = pick(\"webhook-signature\");\n\tif (!id || !timestamp || !sigHeader) return false;\n\n\tconst ts = Number.parseInt(timestamp, 10);\n\tif (!Number.isFinite(ts)) return false;\n\tconst tolerance = opts.toleranceSeconds ?? 5 * 60;\n\tconst now = opts.nowSeconds ?? Math.floor(Date.now() / 1000);\n\tif (Math.abs(now - ts) > tolerance) return false;\n\n\tconst key = secretToKey(secret);\n\tconst expected = createHmac(\"sha256\", key)\n\t\t.update(`${id}.${timestamp}.${body}`)\n\t\t.digest(\"base64\");\n\n\t// webhook-signature can carry multiple versions: \"v1,abc v1a,def\"\n\tfor (const part of sigHeader.split(\" \")) {\n\t\tconst [version, sig] = part.split(\",\", 2);\n\t\tif (version !== \"v1\" || !sig) continue;\n\t\tif (sig.length !== expected.length) continue;\n\t\tlet diff = 0;\n\t\tfor (let i = 0; i < sig.length; i++) {\n\t\t\tdiff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);\n\t\t}\n\t\tif (diff === 0) return true;\n\t}\n\treturn false;\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AA6BA,SAAS,WAAW,CAAC,QAAwB;AAAA,EAC5C,IAAI,OAAO,WAAW,QAAQ,GAAG;AAAA,IAChC,OAAO,OAAO,KAAK,OAAO,MAAM,SAAS,MAAM,GAAG,QAAQ;AAAA,EAC3D;AAAA,EACA,OAAO,OAAO,KAAK,QAAQ,MAAM;AAAA;AAG3B,SAAS,IAAI,CACnB,MACA,QACA,OAAoB,CAAC,GACK;AAAA,EAC1B,MAAM,KAAK,KAAK,MAAM,WAAW;AAAA,EACjC,MAAM,YAAY,OACjB,KAAK,oBAAoB,KAAK,MAAM,KAAK,IAAI,IAAI,IAAI,CACtD;AAAA,EACA,MAAM,SAAS,GAAG,MAAM,aAAa;AAAA,EACrC,MAAM,MAAM,YAAY,MAAM;AAAA,EAC9B,MAAM,YAAY,WAAW,UAAU,GAAG,EAAE,OAAO,MAAM,EAAE,OAAO,QAAQ;AAAA,EAC1E,OAAO;AAAA,IACN,cAAc;AAAA,IACd,qBAAqB;AAAA,IACrB,qBAAqB,MAAM;AAAA,EAC5B;AAAA;AAUM,SAAS,MAAM,CACrB,MACA,SAGA,QACA,OAAsB,CAAC,GACb;AAAA,EACV,MAAM,OAAO,CAAC,MAAc;AAAA,IAC3B,MAAM,IAAK,QAAoC;AAAA,IAC/C,OAAO,OAAO,MAAM,WAAW,IAAI;AAAA;AAAA,EAEpC,MAAM,KAAK,KAAK,YAAY;AAAA,EAC5B,MAAM,YAAY,KAAK,mBAAmB;AAAA,EAC1C,MAAM,YAAY,KAAK,mBAAmB;AAAA,EAC1C,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;AAAA,IAAW,OAAO;AAAA,EAE5C,MAAM,KAAK,OAAO,SAAS,WAAW,EAAE;AAAA,EACxC,IAAI,CAAC,OAAO,SAAS,EAAE;AAAA,IAAG,OAAO;AAAA,EACjC,MAAM,YAAY,KAAK,oBAAoB,IAAI;AAAA,EAC/C,MAAM,MAAM,KAAK,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,IAAI;AAAA,EAC3D,IAAI,KAAK,IAAI,MAAM,EAAE,IAAI;AAAA,IAAW,OAAO;AAAA,EAE3C,MAAM,MAAM,YAAY,MAAM;AAAA,EAC9B,MAAM,WAAW,WAAW,UAAU,GAAG,EACvC,OAAO,GAAG,MAAM,aAAa,MAAM,EACnC,OAAO,QAAQ;AAAA,EAGjB,WAAW,QAAQ,UAAU,MAAM,GAAG,GAAG;AAAA,IACxC,OAAO,SAAS,OAAO,KAAK,MAAM,KAAK,CAAC;AAAA,IACxC,IAAI,YAAY,QAAQ,CAAC;AAAA,MAAK;AAAA,IAC9B,IAAI,IAAI,WAAW,SAAS;AAAA,MAAQ;AAAA,IACpC,IAAI,OAAO;AAAA,IACX,SAAS,IAAI,EAAG,IAAI,IAAI,QAAQ,KAAK;AAAA,MACpC,QAAQ,IAAI,WAAW,CAAC,IAAI,SAAS,WAAW,CAAC;AAAA,IAClD;AAAA,IACA,IAAI,SAAS;AAAA,MAAG,OAAO;AAAA,EACxB;AAAA,EACA,OAAO;AAAA;",
+  "debugId": "AE46F7E38D913C0D64756E2164756E21",
+  "names": []
+}

package/dist/src/db/queries/subscriptions.d.ts ADDED Viewed

@@ -0,0 +1,475 @@
+import { Kysely } from "kysely";
+import { ColumnType, Generated, Selectable } from "kysely";
+interface BlocksTable {
+	height: number;
+	hash: string;
+	parent_hash: string;
+	burn_block_height: number;
+	timestamp: number;
+	canonical: Generated<boolean>;
+	created_at: Generated<Date>;
+}
+interface TransactionsTable {
+	tx_id: string;
+	block_height: number;
+	tx_index: Generated<number>;
+	type: string;
+	sender: string;
+	status: string;
+	contract_id: string | null;
+	function_name: string | null;
+	function_args: Generated<unknown | null>;
+	raw_result: Generated<string | null>;
+	raw_tx: string;
+	created_at: Generated<Date>;
+}
+interface EventsTable {
+	id: Generated<string>;
+	tx_id: string;
+	block_height: number;
+	event_index: number;
+	type: string;
+	data: unknown;
+	created_at: Generated<Date>;
+}
+interface IndexProgressTable {
+	network: string;
+	last_indexed_block: Generated<number>;
+	last_contiguous_block: Generated<number>;
+	highest_seen_block: Generated<number>;
+	updated_at: Generated<Date>;
+}
+interface SubgraphsTable {
+	id: Generated<string>;
+	name: string;
+	version: Generated<string>;
+	status: Generated<string>;
+	definition: Record<string, unknown>;
+	schema_hash: string;
+	handler_path: string;
+	schema_name: string | null;
+	start_block: Generated<number>;
+	last_processed_block: Generated<number>;
+	reindex_from_block: number | null;
+	reindex_to_block: number | null;
+	last_error: string | null;
+	last_error_at: Date | null;
+	total_processed: Generated<number>;
+	total_errors: Generated<number>;
+	account_id: string;
+	handler_code: string | null;
+	source_code: string | null;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface SubgraphGapsTable {
+	id: Generated<string>;
+	subgraph_id: string;
+	subgraph_name: string;
+	gap_start: number;
+	gap_end: number;
+	reason: string;
+	detected_at: Generated<Date>;
+	resolved_at: Date | null;
+}
+interface ApiKeysTable {
+	id: Generated<string>;
+	key_hash: string;
+	key_prefix: string;
+	name: string | null;
+	status: Generated<string>;
+	rate_limit: Generated<number>;
+	ip_address: string;
+	account_id: string;
+	last_used_at: Date | null;
+	revoked_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface AccountsTable {
+	id: Generated<string>;
+	email: string;
+	plan: Generated<string>;
+	display_name: string | null;
+	bio: string | null;
+	avatar_url: string | null;
+	slug: string | null;
+	stripe_customer_id: string | null;
+	created_at: Generated<Date>;
+}
+interface SessionsTable {
+	id: Generated<string>;
+	token_hash: string;
+	token_prefix: string;
+	account_id: string;
+	ip_address: string;
+	expires_at: Generated<Date>;
+	revoked_at: Date | null;
+	last_used_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface MagicLinksTable {
+	id: Generated<string>;
+	email: string;
+	token: string;
+	code: string | null;
+	expires_at: Date;
+	used_at: Date | null;
+	failed_attempts: Generated<number>;
+	created_at: Generated<Date>;
+}
+interface UsageDailyTable {
+	account_id: string;
+	tenant_id: string | null;
+	date: string;
+	api_requests: Generated<number>;
+	deliveries: Generated<number>;
+}
+interface UsageSnapshotsTable {
+	id: Generated<string>;
+	account_id: string;
+	measured_at: Generated<Date>;
+	storage_bytes: Generated<number>;
+}
+interface WaitlistTable {
+	id: Generated<string>;
+	email: string;
+	source: Generated<string>;
+	status: Generated<string>;
+	created_at: Generated<Date>;
+}
+interface AccountInsightsTable {
+	id: Generated<string>;
+	account_id: string;
+	category: string;
+	insight_type: string;
+	resource_id: string | null;
+	severity: string;
+	title: string;
+	body: string;
+	data: unknown;
+	dismissed_at: Date | null;
+	expires_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface AccountAgentRunsTable {
+	id: Generated<string>;
+	account_id: string;
+	started_at: Generated<Date>;
+	completed_at: Date | null;
+	status: Generated<string>;
+	input_tokens: Generated<number>;
+	output_tokens: Generated<number>;
+	cost_usd: Generated<number>;
+	insights_created: Generated<number>;
+	error: string | null;
+}
+interface SubgraphProcessingStatsTable {
+	id: Generated<string>;
+	subgraph_name: string;
+	api_key_id: string | null;
+	bucket_start: Date | null;
+	bucket_end: Date | null;
+	blocks_processed: number | null;
+	total_time_ms: number | null;
+	handler_time_ms: number | null;
+	flush_time_ms: number | null;
+	max_block_time_ms: number | null;
+	max_handler_time_ms: number | null;
+	avg_ops_per_block: number | null;
+	is_catchup: Generated<boolean>;
+	created_at: Generated<Date>;
+}
+interface SubgraphTableSnapshotsTable {
+	id: Generated<string>;
+	subgraph_name: string;
+	api_key_id: string | null;
+	table_name: string;
+	row_count: number | null;
+	created_at: Generated<Date>;
+}
+interface SubgraphHealthSnapshotsTable {
+	id: Generated<string>;
+	subgraph_id: string;
+	total_processed: number;
+	total_errors: number;
+	last_processed_block: number | null;
+	captured_at: Generated<Date>;
+}
+interface SubgraphUsageDailyTable {
+	subgraph_id: string;
+	date: string;
+	query_count: Generated<number>;
+}
+interface ProjectsTable {
+	id: Generated<string>;
+	name: string;
+	slug: string;
+	account_id: string;
+	settings: Generated<Record<string, unknown>>;
+	network: Generated<string>;
+	node_rpc: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface TeamMembersTable {
+	id: Generated<string>;
+	project_id: string;
+	account_id: string;
+	role: Generated<string>;
+	invited_by: string | null;
+	created_at: Generated<Date>;
+}
+interface TeamInvitationsTable {
+	id: Generated<string>;
+	project_id: string;
+	email: string;
+	role: Generated<string>;
+	token: string;
+	invited_by: string | null;
+	expires_at: Date;
+	accepted_at: Date | null;
+	created_at: Generated<Date>;
+}
+interface ChatSessionsTable {
+	id: Generated<string>;
+	account_id: string;
+	title: string | null;
+	summary: unknown | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface ChatMessagesTable {
+	id: Generated<string>;
+	chat_session_id: string;
+	role: string;
+	parts: unknown;
+	metadata: unknown | null;
+	created_at: Generated<Date>;
+}
+interface Database {
+	blocks: BlocksTable;
+	transactions: TransactionsTable;
+	events: EventsTable;
+	index_progress: IndexProgressTable;
+	subgraphs: SubgraphsTable;
+	api_keys: ApiKeysTable;
+	accounts: AccountsTable;
+	sessions: SessionsTable;
+	magic_links: MagicLinksTable;
+	usage_daily: UsageDailyTable;
+	usage_snapshots: UsageSnapshotsTable;
+	waitlist: WaitlistTable;
+	account_insights: AccountInsightsTable;
+	account_agent_runs: AccountAgentRunsTable;
+	subgraph_health_snapshots: SubgraphHealthSnapshotsTable;
+	subgraph_processing_stats: SubgraphProcessingStatsTable;
+	subgraph_table_snapshots: SubgraphTableSnapshotsTable;
+	subgraph_gaps: SubgraphGapsTable;
+	subgraph_usage_daily: SubgraphUsageDailyTable;
+	projects: ProjectsTable;
+	team_members: TeamMembersTable;
+	team_invitations: TeamInvitationsTable;
+	chat_sessions: ChatSessionsTable;
+	chat_messages: ChatMessagesTable;
+	tenants: TenantsTable;
+	tenant_usage_monthly: TenantUsageMonthlyTable;
+	tenant_compute_addons: TenantComputeAddonsTable;
+	account_spend_caps: AccountSpendCapsTable;
+	provisioning_audit_log: ProvisioningAuditLogTable;
+	subscriptions: SubscriptionsTable;
+	subscription_outbox: SubscriptionOutboxTable;
+	subscription_deliveries: SubscriptionDeliveriesTable;
+}
+type TenantStatus = "provisioning" | "active" | "suspended" | "error" | "deleted";
+interface TenantsTable {
+	id: Generated<string>;
+	account_id: string;
+	slug: string;
+	status: ColumnType<TenantStatus, TenantStatus | undefined, TenantStatus>;
+	plan: string;
+	cpus: ColumnType<number, number | string, number | string>;
+	memory_mb: number;
+	storage_limit_mb: number;
+	storage_used_mb: number | null;
+	pg_container_id: string | null;
+	api_container_id: string | null;
+	processor_container_id: string | null;
+	target_database_url_enc: Buffer;
+	tenant_jwt_secret_enc: Buffer;
+	anon_key_enc: Buffer;
+	service_key_enc: Buffer;
+	api_url_internal: string;
+	api_url_public: string;
+	suspended_at: Date | null;
+	last_health_check_at: Date | null;
+	last_active_at: Generated<Date>;
+	service_gen: Generated<number>;
+	anon_gen: Generated<number>;
+	project_id: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+interface TenantUsageMonthlyTable {
+	id: Generated<string>;
+	tenant_id: string;
+	period_month: Date;
+	storage_peak_mb: Generated<number>;
+	storage_avg_mb: Generated<number>;
+	storage_last_mb: Generated<number>;
+	measurements: Generated<number>;
+	first_at: Generated<Date>;
+	last_at: Generated<Date>;
+}
+interface TenantComputeAddonsTable {
+	id: Generated<string>;
+	tenant_id: string;
+	memory_mb_delta: Generated<number>;
+	cpu_delta: Generated<number | string>;
+	storage_mb_delta: Generated<number>;
+	effective_from: Generated<Date>;
+	effective_until: Date | null;
+	stripe_subscription_item_id: string | null;
+	created_at: Generated<Date>;
+}
+interface AccountSpendCapsTable {
+	account_id: string;
+	monthly_cap_cents: number | null;
+	compute_cap_cents: number | null;
+	storage_cap_cents: number | null;
+	ai_cap_cents: number | null;
+	alert_threshold_pct: Generated<number>;
+	alert_sent_at: Date | null;
+	frozen_at: Date | null;
+	updated_at: Generated<Date>;
+}
+type ProvisioningAuditEvent = "provision.start" | "provision.success" | "provision.failure" | "suspend" | "resume" | "resize" | "keys.rotate" | "bastion.key.upload" | "bastion.key.revoke" | "teardown";
+type ProvisioningAuditStatus = "ok" | "error";
+interface ProvisioningAuditLogTable {
+	id: Generated<string>;
+	tenant_id: string | null;
+	tenant_slug: string | null;
+	account_id: string | null;
+	actor: string;
+	event: ProvisioningAuditEvent;
+	status: ProvisioningAuditStatus;
+	detail: unknown | null;
+	error: string | null;
+	created_at: Generated<Date>;
+}
+type SubscriptionStatus = "active" | "paused" | "error";
+type SubscriptionFormat = "standard-webhooks" | "inngest" | "trigger" | "cloudflare" | "cloudevents" | "raw";
+type SubscriptionRuntime = "inngest" | "trigger" | "cloudflare" | "node";
+interface SubscriptionsTable {
+	id: Generated<string>;
+	account_id: string;
+	project_id: string | null;
+	name: string;
+	status: ColumnType<SubscriptionStatus, SubscriptionStatus | undefined, SubscriptionStatus>;
+	subgraph_name: string;
+	table_name: string;
+	filter: Generated<unknown>;
+	format: ColumnType<SubscriptionFormat, SubscriptionFormat | undefined, SubscriptionFormat>;
+	runtime: SubscriptionRuntime | null;
+	url: string;
+	signing_secret_enc: Buffer;
+	auth_config: Generated<unknown>;
+	max_retries: Generated<number>;
+	timeout_ms: Generated<number>;
+	concurrency: Generated<number>;
+	circuit_failures: Generated<number>;
+	circuit_opened_at: Date | null;
+	last_delivery_at: Date | null;
+	last_success_at: Date | null;
+	last_error: string | null;
+	created_at: Generated<Date>;
+	updated_at: Generated<Date>;
+}
+type Subscription = Selectable<SubscriptionsTable>;
+type OutboxStatus = "pending" | "delivered" | "dead";
+interface SubscriptionOutboxTable {
+	id: Generated<string>;
+	subscription_id: string;
+	subgraph_name: string;
+	table_name: string;
+	block_height: number | bigint;
+	tx_id: string | null;
+	row_pk: unknown;
+	event_type: string;
+	payload: unknown;
+	dedup_key: string;
+	attempt: Generated<number>;
+	next_attempt_at: Generated<Date>;
+	status: ColumnType<OutboxStatus, OutboxStatus | undefined, OutboxStatus>;
+	is_replay: Generated<boolean>;
+	delivered_at: Date | null;
+	failed_at: Date | null;
+	locked_by: string | null;
+	locked_until: Date | null;
+	created_at: Generated<Date>;
+}
+interface SubscriptionDeliveriesTable {
+	id: Generated<string>;
+	outbox_id: string;
+	subscription_id: string;
+	attempt: number;
+	status_code: number | null;
+	response_headers: unknown | null;
+	response_body: string | null;
+	error_message: string | null;
+	duration_ms: number | null;
+	dispatched_at: Generated<Date>;
+}
+/**
+* Subscription CRUD. `signing_secret_enc` is transparently encrypted via
+* `encryptSecret`/`decryptSecret`. Plaintext secrets only leave via the
+* return value of `create` (one-time display) and `rotateSecret`.
+*/
+interface CreateSubscriptionInput {
+	accountId: string;
+	projectId?: string | null;
+	name: string;
+	subgraphName: string;
+	tableName: string;
+	filter?: unknown;
+	format?: SubscriptionFormat;
+	runtime?: SubscriptionRuntime | null;
+	url: string;
+	authConfig?: unknown;
+	maxRetries?: number;
+	timeoutMs?: number;
+	concurrency?: number;
+}
+interface CreateSubscriptionResult {
+	subscription: Subscription;
+	/** Plaintext signing secret — surfaced once, never stored decrypted. */
+	signingSecret: string;
+}
+declare function createSubscription(db: Kysely<Database>, input: CreateSubscriptionInput): Promise<CreateSubscriptionResult>;
+declare function listSubscriptions(db: Kysely<Database>, accountId: string): Promise<Subscription[]>;
+declare function getSubscription(db: Kysely<Database>, accountId: string, id: string): Promise<Subscription | null>;
+declare function getSubscriptionByName(db: Kysely<Database>, accountId: string, name: string): Promise<Subscription | null>;
+interface UpdateSubscriptionInput {
+	name?: string;
+	filter?: unknown;
+	format?: SubscriptionFormat;
+	runtime?: SubscriptionRuntime | null;
+	url?: string;
+	authConfig?: unknown;
+	maxRetries?: number;
+	timeoutMs?: number;
+	concurrency?: number;
+}
+declare function updateSubscription(db: Kysely<Database>, accountId: string, id: string, patch: UpdateSubscriptionInput): Promise<Subscription | null>;
+declare function toggleSubscriptionStatus(db: Kysely<Database>, accountId: string, id: string, status: SubscriptionStatus): Promise<Subscription | null>;
+declare function deleteSubscription(db: Kysely<Database>, accountId: string, id: string): Promise<boolean>;
+interface RotateSecretResult {
+	subscription: Subscription;
+	signingSecret: string;
+}
+declare function rotateSubscriptionSecret(db: Kysely<Database>, accountId: string, id: string): Promise<RotateSecretResult | null>;
+/** Decrypt a subscription's signing secret for HMAC signing at emit time. */
+declare function getSubscriptionSigningSecret(sub: Subscription): string;
+/** Fire `subscriptions:changed` notify so the emitter hot-reloads its cache. */
+declare function notifySubscriptionsChanged(db: Kysely<Database>, accountId: string): Promise<void>;
+export { updateSubscription, toggleSubscriptionStatus, rotateSubscriptionSecret, notifySubscriptionsChanged, listSubscriptions, getSubscriptionSigningSecret, getSubscriptionByName, getSubscription, deleteSubscription, createSubscription, UpdateSubscriptionInput, RotateSecretResult, CreateSubscriptionResult, CreateSubscriptionInput };

package/dist/src/db/queries/subscriptions.js ADDED Viewed

@@ -0,0 +1,264 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+// src/crypto/hmac.ts
+var exports_hmac = {};
+__export(exports_hmac, {
+  verifySignatureHeader: () => verifySignatureHeader,
+  verifySignature: () => verifySignature,
+  signPayload: () => signPayload,
+  generateSecret: () => generateSecret,
+  createSignatureHeader: () => createSignatureHeader
+});
+import { createHmac, randomBytes } from "crypto";
+function generateSecret() {
+  return randomBytes(32).toString("hex");
+}
+function signPayload(payload, secret) {
+  const hmac = createHmac("sha256", secret);
+  hmac.update(payload);
+  return hmac.digest("hex");
+}
+function verifySignature(payload, signature, secret) {
+  const expectedSignature = signPayload(payload, secret);
+  if (signature.length !== expectedSignature.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0;i < signature.length; i++) {
+    result |= signature.charCodeAt(i) ^ expectedSignature.charCodeAt(i);
+  }
+  return result === 0;
+}
+function createSignatureHeader(payload, secret, timestamp) {
+  const ts = timestamp ?? Math.floor(Date.now() / 1000);
+  const signedPayload = `${ts}.${payload}`;
+  const signature = signPayload(signedPayload, secret);
+  return `t=${ts},v1=${signature}`;
+}
+function verifySignatureHeader(payload, header, secret, toleranceSeconds = 300) {
+  const parts = header.split(",");
+  const timestamp = parts.find((p) => p.startsWith("t="))?.slice(2);
+  const signature = parts.find((p) => p.startsWith("v1="))?.slice(3);
+  if (!timestamp || !signature) {
+    return false;
+  }
+  const ts = Number.parseInt(timestamp, 10);
+  if (isNaN(ts)) {
+    return false;
+  }
+  const now = Math.floor(Date.now() / 1000);
+  if (Math.abs(now - ts) > toleranceSeconds) {
+    return false;
+  }
+  const signedPayload = `${ts}.${payload}`;
+  return verifySignature(signedPayload, signature, secret);
+}
+// src/mode.ts
+var VALID_MODES = ["oss", "dedicated", "platform"];
+function getInstanceMode() {
+  const raw = process.env.INSTANCE_MODE?.trim().toLowerCase();
+  if (raw && VALID_MODES.includes(raw)) {
+    return raw;
+  }
+  return "oss";
+}
+function isPlatformMode() {
+  return getInstanceMode() === "platform";
+}
+function isOssMode() {
+  return getInstanceMode() === "oss";
+}
+function isDedicatedMode() {
+  return getInstanceMode() === "dedicated";
+}
+// src/crypto/secrets.ts
+import { createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "node:crypto";
+import { appendFileSync, existsSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
+var KEY_ENV = "SECONDLAYER_SECRETS_KEY";
+var IV_LEN = 12;
+var TAG_LEN = 16;
+function bootstrapOssKey() {
+  const envPath = resolve(process.cwd(), ".env.local");
+  if (existsSync(envPath)) {
+    const contents = readFileSync(envPath, "utf8");
+    const match = contents.match(/^SECONDLAYER_SECRETS_KEY=([a-fA-F0-9]{64})/m);
+    if (match) {
+      process.env[KEY_ENV] = match[1];
+      return match[1];
+    }
+  }
+  const hex = randomBytes2(32).toString("hex");
+  const line = `${existsSync(envPath) ? `
+` : ""}${KEY_ENV}=${hex}
+`;
+  appendFileSync(envPath, line, { mode: 384 });
+  process.env[KEY_ENV] = hex;
+  console.log(`[secondlayer] generated ${KEY_ENV}; saved to ${envPath} (mode 0600)`);
+  return hex;
+}
+function loadKey() {
+  let hex = process.env[KEY_ENV];
+  if (!hex) {
+    if (getInstanceMode() === "oss") {
+      hex = bootstrapOssKey();
+    } else {
+      throw new Error(`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`);
+    }
+  }
+  const key = Buffer.from(hex, "hex");
+  if (key.length !== 32) {
+    throw new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);
+  }
+  return key;
+}
+var _cachedKey = null;
+function getKey() {
+  if (!_cachedKey)
+    _cachedKey = loadKey();
+  return _cachedKey;
+}
+function encryptSecret(plaintext) {
+  const key = getKey();
+  const iv = randomBytes2(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ciphertext]);
+}
+function decryptSecret(envelope) {
+  const key = getKey();
+  const iv = envelope.subarray(0, IV_LEN);
+  const tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const ciphertext = envelope.subarray(IV_LEN + TAG_LEN);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext).toString("utf8") + decipher.final("utf8");
+}
+function generateSecretsKey() {
+  return randomBytes2(32).toString("hex");
+}
+// src/db/queries/subscriptions.ts
+import { sql } from "kysely";
+async function createSubscription(db, input) {
+  const signingSecret = generateSecret();
+  const row = {
+    account_id: input.accountId,
+    project_id: input.projectId ?? null,
+    name: input.name,
+    status: "active",
+    subgraph_name: input.subgraphName,
+    table_name: input.tableName,
+    filter: input.filter ?? {},
+    format: input.format ?? "standard-webhooks",
+    runtime: input.runtime ?? null,
+    url: input.url,
+    signing_secret_enc: encryptSecret(signingSecret),
+    auth_config: input.authConfig ?? {},
+    ...input.maxRetries !== undefined ? { max_retries: input.maxRetries } : {},
+    ...input.timeoutMs !== undefined ? { timeout_ms: input.timeoutMs } : {},
+    ...input.concurrency !== undefined ? { concurrency: input.concurrency } : {}
+  };
+  const subscription = await db.insertInto("subscriptions").values(row).returningAll().executeTakeFirstOrThrow();
+  return { subscription, signingSecret };
+}
+async function listSubscriptions(db, accountId) {
+  return db.selectFrom("subscriptions").selectAll().where("account_id", "=", accountId).orderBy("created_at", "desc").execute();
+}
+async function getSubscription(db, accountId, id) {
+  const row = await db.selectFrom("subscriptions").selectAll().where("account_id", "=", accountId).where("id", "=", id).executeTakeFirst();
+  return row ?? null;
+}
+async function getSubscriptionByName(db, accountId, name) {
+  const row = await db.selectFrom("subscriptions").selectAll().where("account_id", "=", accountId).where("name", "=", name).executeTakeFirst();
+  return row ?? null;
+}
+async function updateSubscription(db, accountId, id, patch) {
+  const update = { updated_at: new Date };
+  if (patch.name !== undefined)
+    update.name = patch.name;
+  if (patch.filter !== undefined)
+    update.filter = patch.filter;
+  if (patch.format !== undefined)
+    update.format = patch.format;
+  if (patch.runtime !== undefined)
+    update.runtime = patch.runtime;
+  if (patch.url !== undefined)
+    update.url = patch.url;
+  if (patch.authConfig !== undefined)
+    update.auth_config = patch.authConfig;
+  if (patch.maxRetries !== undefined)
+    update.max_retries = patch.maxRetries;
+  if (patch.timeoutMs !== undefined)
+    update.timeout_ms = patch.timeoutMs;
+  if (patch.concurrency !== undefined)
+    update.concurrency = patch.concurrency;
+  const row = await db.updateTable("subscriptions").set(update).where("account_id", "=", accountId).where("id", "=", id).returningAll().executeTakeFirst();
+  return row ?? null;
+}
+async function toggleSubscriptionStatus(db, accountId, id, status) {
+  const row = await db.updateTable("subscriptions").set({
+    status,
+    updated_at: new Date,
+    ...status === "active" ? {
+      circuit_failures: 0,
+      circuit_opened_at: null
+    } : {}
+  }).where("account_id", "=", accountId).where("id", "=", id).returningAll().executeTakeFirst();
+  return row ?? null;
+}
+async function deleteSubscription(db, accountId, id) {
+  const res = await db.deleteFrom("subscriptions").where("account_id", "=", accountId).where("id", "=", id).executeTakeFirst();
+  return Number(res.numDeletedRows ?? 0) > 0;
+}
+async function rotateSubscriptionSecret(db, accountId, id) {
+  const signingSecret = generateSecret();
+  const row = await db.updateTable("subscriptions").set({
+    signing_secret_enc: encryptSecret(signingSecret),
+    updated_at: new Date
+  }).where("account_id", "=", accountId).where("id", "=", id).returningAll().executeTakeFirst();
+  if (!row)
+    return null;
+  return { subscription: row, signingSecret };
+}
+function getSubscriptionSigningSecret(sub) {
+  return decryptSecret(sub.signing_secret_enc);
+}
+async function notifySubscriptionsChanged(db, accountId) {
+  await sql`SELECT pg_notify('subscriptions:changed', ${accountId})`.execute(db);
+}
+export {
+  updateSubscription,
+  toggleSubscriptionStatus,
+  rotateSubscriptionSecret,
+  notifySubscriptionsChanged,
+  listSubscriptions,
+  getSubscriptionSigningSecret,
+  getSubscriptionByName,
+  getSubscription,
+  deleteSubscription,
+  createSubscription
+};
+//# debugId=6C6C97A09D12DAB864756E2164756E21
+//# sourceMappingURL=subscriptions.js.map

package/dist/src/db/queries/subscriptions.js.map ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/hmac.ts", "../src/mode.ts", "../src/crypto/secrets.ts", "../src/db/queries/subscriptions.ts"],
+  "sourcesContent": [
+    "import { createHmac, randomBytes } from \"crypto\";\n\n/**\n * Generate a random secret for delivery signing\n * Returns 32 bytes as a 64-character hex string\n */\nexport function generateSecret(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n\n/**\n * Sign a payload with HMAC-SHA256\n * Returns the signature as a hex string\n */\nexport function signPayload(payload: string, secret: string): string {\n\tconst hmac = createHmac(\"sha256\", secret);\n\thmac.update(payload);\n\treturn hmac.digest(\"hex\");\n}\n\n/**\n * Verify an HMAC signature\n * Uses constant-time comparison to prevent timing attacks\n */\nexport function verifySignature(\n\tpayload: string,\n\tsignature: string,\n\tsecret: string,\n): boolean {\n\tconst expectedSignature = signPayload(payload, secret);\n\n\t// Constant-time comparison\n\tif (signature.length !== expectedSignature.length) {\n\t\treturn false;\n\t}\n\n\tlet result = 0;\n\tfor (let i = 0; i < signature.length; i++) {\n\t\tresult |= signature.charCodeAt(i) ^ expectedSignature.charCodeAt(i);\n\t}\n\n\treturn result === 0;\n}\n\n/**\n * Create a Stripe-style signature header\n * Format: t=timestamp,v1=signature\n */\nexport function createSignatureHeader(\n\tpayload: string,\n\tsecret: string,\n\ttimestamp?: number,\n): string {\n\tconst ts = timestamp ?? Math.floor(Date.now() / 1000);\n\tconst signedPayload = `${ts}.${payload}`;\n\tconst signature = signPayload(signedPayload, secret);\n\n\treturn `t=${ts},v1=${signature}`;\n}\n\n/**\n * Parse and verify a Stripe-style signature header\n * Returns true if valid, false otherwise\n */\nexport function verifySignatureHeader(\n\tpayload: string,\n\theader: string,\n\tsecret: string,\n\ttoleranceSeconds = 300, // 5 minutes\n): boolean {\n\t// Parse header\n\tconst parts = header.split(\",\");\n\tconst timestamp = parts.find((p) => p.startsWith(\"t=\"))?.slice(2);\n\tconst signature = parts.find((p) => p.startsWith(\"v1=\"))?.slice(3);\n\n\tif (!timestamp || !signature) {\n\t\treturn false;\n\t}\n\n\tconst ts = Number.parseInt(timestamp, 10);\n\tif (isNaN(ts)) {\n\t\treturn false;\n\t}\n\n\t// Check timestamp is within tolerance\n\tconst now = Math.floor(Date.now() / 1000);\n\tif (Math.abs(now - ts) > toleranceSeconds) {\n\t\treturn false;\n\t}\n\n\t// Verify signature\n\tconst signedPayload = `${ts}.${payload}`;\n\treturn verifySignature(signedPayload, signature, secret);\n}\n",
+    "/**\n * Instance modes for the Secondlayer platform.\n *\n * - `oss`: self-hosted, single-tenant. No auth middleware, no platform routes\n *   (projects, admin, workflows). Everything runs against a single\n *   `DATABASE_URL`. Intended for `docker compose up`.\n *\n * - `dedicated`: per-customer managed instance. JWT-based auth (anon =\n *   read-only, service = full). Dual-DB mode — shared source indexer DB for\n *   block reads, per-tenant target DB for subgraph data. No platform-wide\n *   routes mounted (no cross-tenant accounts).\n *\n * - `platform`: control-plane mode. Magic-link auth, API keys, projects,\n *   tenants, admin. Serves the dashboard + CLI against a single shared DB.\n */\n\nexport type InstanceMode = \"oss\" | \"dedicated\" | \"platform\";\n\nconst VALID_MODES: readonly InstanceMode[] = [\"oss\", \"dedicated\", \"platform\"];\n\n/**\n * Resolve the active instance mode from `process.env.INSTANCE_MODE`.\n * Defaults to `\"oss\"` — the safest default for self-hosters who deploy\n * without setting the variable.\n */\nexport function getInstanceMode(): InstanceMode {\n\tconst raw = process.env.INSTANCE_MODE?.trim().toLowerCase();\n\tif (raw && (VALID_MODES as readonly string[]).includes(raw)) {\n\t\treturn raw as InstanceMode;\n\t}\n\treturn \"oss\";\n}\n\n/** True when the active mode is `\"platform\"` (shared multi-tenant). */\nexport function isPlatformMode(): boolean {\n\treturn getInstanceMode() === \"platform\";\n}\n\n/** True when the active mode is `\"oss\"` (self-hosted). */\nexport function isOssMode(): boolean {\n\treturn getInstanceMode() === \"oss\";\n}\n\n/** True when the active mode is `\"dedicated\"` (per-tenant managed). */\nexport function isDedicatedMode(): boolean {\n\treturn getInstanceMode() === \"dedicated\";\n}\n",
+    "import { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\nimport { appendFileSync, existsSync, readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\nimport { getInstanceMode } from \"../mode.ts\";\n\n/**\n * AES-256-GCM symmetric envelope for encrypted secrets at rest (tenant keys,\n * subscription signing secrets, etc.).\n *\n * Ciphertext layout: `iv (12 bytes) || authTag (16 bytes) || ciphertext`\n *\n * The key comes from `SECONDLAYER_SECRETS_KEY` — 32 bytes hex. In OSS mode,\n * if the env var is unset on first use we autogenerate a key and persist it\n * to `.env.local` in the current working directory so subsequent restarts\n * pick it up without user intervention. Dedicated/platform modes throw —\n * those runtimes must provision the key explicitly.\n *\n * Rotation strategy: re-encrypt all rows with the new key and swap the env\n * var. Not zero-downtime, but acceptable at v2 scale. For real KMS (AWS\n * KMS, Vault, GCP KMS), wrap the same byte layout behind an\n * `EncryptSecret`/`DecryptSecret` interface and swap at startup.\n */\n\nconst KEY_ENV = \"SECONDLAYER_SECRETS_KEY\";\nconst IV_LEN = 12;\nconst TAG_LEN = 16;\n\nfunction bootstrapOssKey(): string {\n\tconst envPath = resolve(process.cwd(), \".env.local\");\n\n\t// Check existing .env.local first — prior run may have written it.\n\tif (existsSync(envPath)) {\n\t\tconst contents = readFileSync(envPath, \"utf8\");\n\t\tconst match = contents.match(/^SECONDLAYER_SECRETS_KEY=([a-fA-F0-9]{64})/m);\n\t\tif (match) {\n\t\t\tprocess.env[KEY_ENV] = match[1];\n\t\t\treturn match[1];\n\t\t}\n\t}\n\n\tconst hex = randomBytes(32).toString(\"hex\");\n\tconst line = `${existsSync(envPath) ? \"\\n\" : \"\"}${KEY_ENV}=${hex}\\n`;\n\tappendFileSync(envPath, line, { mode: 0o600 });\n\tprocess.env[KEY_ENV] = hex;\n\tconsole.log(\n\t\t`[secondlayer] generated ${KEY_ENV}; saved to ${envPath} (mode 0600)`,\n\t);\n\treturn hex;\n}\n\nfunction loadKey(): Buffer {\n\tlet hex = process.env[KEY_ENV];\n\tif (!hex) {\n\t\tif (getInstanceMode() === \"oss\") {\n\t\t\thex = bootstrapOssKey();\n\t\t} else {\n\t\t\tthrow new Error(\n\t\t\t\t`${KEY_ENV} not set. Generate one with: openssl rand -hex 32`,\n\t\t\t);\n\t\t}\n\t}\n\tconst key = Buffer.from(hex, \"hex\");\n\tif (key.length !== 32) {\n\t\tthrow new Error(`${KEY_ENV} must be 32 bytes hex (got ${key.length})`);\n\t}\n\treturn key;\n}\n\nlet _cachedKey: Buffer | null = null;\nfunction getKey(): Buffer {\n\tif (!_cachedKey) _cachedKey = loadKey();\n\treturn _cachedKey;\n}\n\nexport function encryptSecret(plaintext: string): Buffer {\n\tconst key = getKey();\n\tconst iv = randomBytes(IV_LEN);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\tconst ciphertext = Buffer.concat([\n\t\tcipher.update(plaintext, \"utf8\"),\n\t\tcipher.final(),\n\t]);\n\tconst tag = cipher.getAuthTag();\n\treturn Buffer.concat([iv, tag, ciphertext]);\n}\n\nexport function decryptSecret(envelope: Buffer): string {\n\tconst key = getKey();\n\tconst iv = envelope.subarray(0, IV_LEN);\n\tconst tag = envelope.subarray(IV_LEN, IV_LEN + TAG_LEN);\n\tconst ciphertext = envelope.subarray(IV_LEN + TAG_LEN);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n\tdecipher.setAuthTag(tag);\n\treturn decipher.update(ciphertext).toString(\"utf8\") + decipher.final(\"utf8\");\n}\n\n/** Generate a fresh 32-byte hex key suitable for `SECONDLAYER_SECRETS_KEY`. */\nexport function generateSecretsKey(): string {\n\treturn randomBytes(32).toString(\"hex\");\n}\n",
+    "import { type Kysely, sql } from \"kysely\";\nimport { generateSecret } from \"../../crypto/hmac.ts\";\nimport { decryptSecret, encryptSecret } from \"../../crypto/secrets.ts\";\nimport type {\n\tDatabase,\n\tInsertSubscription,\n\tSubscription,\n\tSubscriptionFormat,\n\tSubscriptionRuntime,\n\tSubscriptionStatus,\n\tUpdateSubscription,\n} from \"../types.ts\";\n\n/**\n * Subscription CRUD. `signing_secret_enc` is transparently encrypted via\n * `encryptSecret`/`decryptSecret`. Plaintext secrets only leave via the\n * return value of `create` (one-time display) and `rotateSecret`.\n */\n\nexport interface CreateSubscriptionInput {\n\taccountId: string;\n\tprojectId?: string | null;\n\tname: string;\n\tsubgraphName: string;\n\ttableName: string;\n\tfilter?: unknown;\n\tformat?: SubscriptionFormat;\n\truntime?: SubscriptionRuntime | null;\n\turl: string;\n\tauthConfig?: unknown;\n\tmaxRetries?: number;\n\ttimeoutMs?: number;\n\tconcurrency?: number;\n}\n\nexport interface CreateSubscriptionResult {\n\tsubscription: Subscription;\n\t/** Plaintext signing secret — surfaced once, never stored decrypted. */\n\tsigningSecret: string;\n}\n\nexport async function createSubscription(\n\tdb: Kysely<Database>,\n\tinput: CreateSubscriptionInput,\n): Promise<CreateSubscriptionResult> {\n\tconst signingSecret = generateSecret();\n\tconst row: InsertSubscription = {\n\t\taccount_id: input.accountId,\n\t\tproject_id: input.projectId ?? null,\n\t\tname: input.name,\n\t\tstatus: \"active\",\n\t\tsubgraph_name: input.subgraphName,\n\t\ttable_name: input.tableName,\n\t\tfilter: input.filter ?? {},\n\t\tformat: input.format ?? \"standard-webhooks\",\n\t\truntime: input.runtime ?? null,\n\t\turl: input.url,\n\t\tsigning_secret_enc: encryptSecret(signingSecret),\n\t\tauth_config: input.authConfig ?? {},\n\t\t...(input.maxRetries !== undefined ? { max_retries: input.maxRetries } : {}),\n\t\t...(input.timeoutMs !== undefined ? { timeout_ms: input.timeoutMs } : {}),\n\t\t...(input.concurrency !== undefined\n\t\t\t? { concurrency: input.concurrency }\n\t\t\t: {}),\n\t};\n\tconst subscription = await db\n\t\t.insertInto(\"subscriptions\")\n\t\t.values(row)\n\t\t.returningAll()\n\t\t.executeTakeFirstOrThrow();\n\treturn { subscription, signingSecret };\n}\n\nexport async function listSubscriptions(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<Subscription[]> {\n\treturn db\n\t\t.selectFrom(\"subscriptions\")\n\t\t.selectAll()\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.orderBy(\"created_at\", \"desc\")\n\t\t.execute();\n}\n\nexport async function getSubscription(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tid: string,\n): Promise<Subscription | null> {\n\tconst row = await db\n\t\t.selectFrom(\"subscriptions\")\n\t\t.selectAll()\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"id\", \"=\", id)\n\t\t.executeTakeFirst();\n\treturn row ?? null;\n}\n\nexport async function getSubscriptionByName(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tname: string,\n): Promise<Subscription | null> {\n\tconst row = await db\n\t\t.selectFrom(\"subscriptions\")\n\t\t.selectAll()\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"name\", \"=\", name)\n\t\t.executeTakeFirst();\n\treturn row ?? null;\n}\n\nexport interface UpdateSubscriptionInput {\n\tname?: string;\n\tfilter?: unknown;\n\tformat?: SubscriptionFormat;\n\truntime?: SubscriptionRuntime | null;\n\turl?: string;\n\tauthConfig?: unknown;\n\tmaxRetries?: number;\n\ttimeoutMs?: number;\n\tconcurrency?: number;\n}\n\nexport async function updateSubscription(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tid: string,\n\tpatch: UpdateSubscriptionInput,\n): Promise<Subscription | null> {\n\tconst update: UpdateSubscription = { updated_at: new Date() };\n\tif (patch.name !== undefined) update.name = patch.name;\n\tif (patch.filter !== undefined) update.filter = patch.filter;\n\tif (patch.format !== undefined) update.format = patch.format;\n\tif (patch.runtime !== undefined) update.runtime = patch.runtime;\n\tif (patch.url !== undefined) update.url = patch.url;\n\tif (patch.authConfig !== undefined) update.auth_config = patch.authConfig;\n\tif (patch.maxRetries !== undefined) update.max_retries = patch.maxRetries;\n\tif (patch.timeoutMs !== undefined) update.timeout_ms = patch.timeoutMs;\n\tif (patch.concurrency !== undefined) update.concurrency = patch.concurrency;\n\n\tconst row = await db\n\t\t.updateTable(\"subscriptions\")\n\t\t.set(update)\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"id\", \"=\", id)\n\t\t.returningAll()\n\t\t.executeTakeFirst();\n\treturn row ?? null;\n}\n\nexport async function toggleSubscriptionStatus(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tid: string,\n\tstatus: SubscriptionStatus,\n): Promise<Subscription | null> {\n\tconst row = await db\n\t\t.updateTable(\"subscriptions\")\n\t\t.set({\n\t\t\tstatus,\n\t\t\tupdated_at: new Date(),\n\t\t\t...(status === \"active\"\n\t\t\t\t? {\n\t\t\t\t\t\tcircuit_failures: 0,\n\t\t\t\t\t\tcircuit_opened_at: null,\n\t\t\t\t\t}\n\t\t\t\t: {}),\n\t\t})\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"id\", \"=\", id)\n\t\t.returningAll()\n\t\t.executeTakeFirst();\n\treturn row ?? null;\n}\n\nexport async function deleteSubscription(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tid: string,\n): Promise<boolean> {\n\tconst res = await db\n\t\t.deleteFrom(\"subscriptions\")\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"id\", \"=\", id)\n\t\t.executeTakeFirst();\n\treturn Number(res.numDeletedRows ?? 0) > 0;\n}\n\nexport interface RotateSecretResult {\n\tsubscription: Subscription;\n\tsigningSecret: string;\n}\n\nexport async function rotateSubscriptionSecret(\n\tdb: Kysely<Database>,\n\taccountId: string,\n\tid: string,\n): Promise<RotateSecretResult | null> {\n\tconst signingSecret = generateSecret();\n\tconst row = await db\n\t\t.updateTable(\"subscriptions\")\n\t\t.set({\n\t\t\tsigning_secret_enc: encryptSecret(signingSecret),\n\t\t\tupdated_at: new Date(),\n\t\t})\n\t\t.where(\"account_id\", \"=\", accountId)\n\t\t.where(\"id\", \"=\", id)\n\t\t.returningAll()\n\t\t.executeTakeFirst();\n\tif (!row) return null;\n\treturn { subscription: row, signingSecret };\n}\n\n/** Decrypt a subscription's signing secret for HMAC signing at emit time. */\nexport function getSubscriptionSigningSecret(sub: Subscription): string {\n\treturn decryptSecret(sub.signing_secret_enc);\n}\n\n/** Fire `subscriptions:changed` notify so the emitter hot-reloads its cache. */\nexport async function notifySubscriptionsChanged(\n\tdb: Kysely<Database>,\n\taccountId: string,\n): Promise<void> {\n\tawait sql`SELECT pg_notify('subscriptions:changed', ${accountId})`.execute(db);\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAMO,SAAS,cAAc,GAAW;AAAA,EACxC,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA;AAO/B,SAAS,WAAW,CAAC,SAAiB,QAAwB;AAAA,EACpE,MAAM,OAAO,WAAW,UAAU,MAAM;AAAA,EACxC,KAAK,OAAO,OAAO;AAAA,EACnB,OAAO,KAAK,OAAO,KAAK;AAAA;AAOlB,SAAS,eAAe,CAC9B,SACA,WACA,QACU;AAAA,EACV,MAAM,oBAAoB,YAAY,SAAS,MAAM;AAAA,EAGrD,IAAI,UAAU,WAAW,kBAAkB,QAAQ;AAAA,IAClD,OAAO;AAAA,EACR;AAAA,EAEA,IAAI,SAAS;AAAA,EACb,SAAS,IAAI,EAAG,IAAI,UAAU,QAAQ,KAAK;AAAA,IAC1C,UAAU,UAAU,WAAW,CAAC,IAAI,kBAAkB,WAAW,CAAC;AAAA,EACnE;AAAA,EAEA,OAAO,WAAW;AAAA;AAOZ,SAAS,qBAAqB,CACpC,SACA,QACA,WACS;AAAA,EACT,MAAM,KAAK,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,IAAI;AAAA,EACpD,MAAM,gBAAgB,GAAG,MAAM;AAAA,EAC/B,MAAM,YAAY,YAAY,eAAe,MAAM;AAAA,EAEnD,OAAO,KAAK,SAAS;AAAA;AAOf,SAAS,qBAAqB,CACpC,SACA,QACA,QACA,mBAAmB,KACT;AAAA,EAEV,MAAM,QAAQ,OAAO,MAAM,GAAG;AAAA,EAC9B,MAAM,YAAY,MAAM,KAAK,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,GAAG,MAAM,CAAC;AAAA,EAChE,MAAM,YAAY,MAAM,KAAK,CAAC,MAAM,EAAE,WAAW,KAAK,CAAC,GAAG,MAAM,CAAC;AAAA,EAEjE,IAAI,CAAC,aAAa,CAAC,WAAW;AAAA,IAC7B,OAAO;AAAA,EACR;AAAA,EAEA,MAAM,KAAK,OAAO,SAAS,WAAW,EAAE;AAAA,EACxC,IAAI,MAAM,EAAE,GAAG;AAAA,IACd,OAAO;AAAA,EACR;AAAA,EAGA,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,IAAI;AAAA,EACxC,IAAI,KAAK,IAAI,MAAM,EAAE,IAAI,kBAAkB;AAAA,IAC1C,OAAO;AAAA,EACR;AAAA,EAGA,MAAM,gBAAgB,GAAG,MAAM;AAAA,EAC/B,OAAO,gBAAgB,eAAe,WAAW,MAAM;AAAA;;;AC1ExD,IAAM,cAAuC,CAAC,OAAO,aAAa,UAAU;AAOrE,SAAS,eAAe,GAAiB;AAAA,EAC/C,MAAM,MAAM,QAAQ,IAAI,eAAe,KAAK,EAAE,YAAY;AAAA,EAC1D,IAAI,OAAQ,YAAkC,SAAS,GAAG,GAAG;AAAA,IAC5D,OAAO;AAAA,EACR;AAAA,EACA,OAAO;AAAA;AAID,SAAS,cAAc,GAAY;AAAA,EACzC,OAAO,gBAAgB,MAAM;AAAA;AAIvB,SAAS,SAAS,GAAY;AAAA,EACpC,OAAO,gBAAgB,MAAM;AAAA;AAIvB,SAAS,eAAe,GAAY;AAAA,EAC1C,OAAO,gBAAgB,MAAM;AAAA;;;AC7C9B,0DAA2C;AAC3C;AACA;AAqBA,IAAM,UAAU;AAChB,IAAM,SAAS;AACf,IAAM,UAAU;AAEhB,SAAS,eAAe,GAAW;AAAA,EAClC,MAAM,UAAU,QAAQ,QAAQ,IAAI,GAAG,YAAY;AAAA,EAGnD,IAAI,WAAW,OAAO,GAAG;AAAA,IACxB,MAAM,WAAW,aAAa,SAAS,MAAM;AAAA,IAC7C,MAAM,QAAQ,SAAS,MAAM,6CAA6C;AAAA,IAC1E,IAAI,OAAO;AAAA,MACV,QAAQ,IAAI,WAAW,MAAM;AAAA,MAC7B,OAAO,MAAM;AAAA,IACd;AAAA,EACD;AAAA,EAEA,MAAM,MAAM,aAAY,EAAE,EAAE,SAAS,KAAK;AAAA,EAC1C,MAAM,OAAO,GAAG,WAAW,OAAO,IAAI;AAAA,IAAO,KAAK,WAAW;AAAA;AAAA,EAC7D,eAAe,SAAS,MAAM,EAAE,MAAM,IAAM,CAAC;AAAA,EAC7C,QAAQ,IAAI,WAAW;AAAA,EACvB,QAAQ,IACP,2BAA2B,qBAAqB,qBACjD;AAAA,EACA,OAAO;AAAA;AAGR,SAAS,OAAO,GAAW;AAAA,EAC1B,IAAI,MAAM,QAAQ,IAAI;AAAA,EACtB,IAAI,CAAC,KAAK;AAAA,IACT,IAAI,gBAAgB,MAAM,OAAO;AAAA,MAChC,MAAM,gBAAgB;AAAA,IACvB,EAAO;AAAA,MACN,MAAM,IAAI,MACT,GAAG,0DACJ;AAAA;AAAA,EAEF;AAAA,EACA,MAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAAA,EAClC,IAAI,IAAI,WAAW,IAAI;AAAA,IACtB,MAAM,IAAI,MAAM,GAAG,qCAAqC,IAAI,SAAS;AAAA,EACtE;AAAA,EACA,OAAO;AAAA;AAGR,IAAI,aAA4B;AAChC,SAAS,MAAM,GAAW;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,aAAa,QAAQ;AAAA,EACtC,OAAO;AAAA;AAGD,SAAS,aAAa,CAAC,WAA2B;AAAA,EACxD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,aAAY,MAAM;AAAA,EAC7B,MAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAAA,EACpD,MAAM,aAAa,OAAO,OAAO;AAAA,IAChC,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACd,CAAC;AAAA,EACD,MAAM,MAAM,OAAO,WAAW;AAAA,EAC9B,OAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC;AAAA;AAGpC,SAAS,aAAa,CAAC,UAA0B;AAAA,EACvD,MAAM,MAAM,OAAO;AAAA,EACnB,MAAM,KAAK,SAAS,SAAS,GAAG,MAAM;AAAA,EACtC,MAAM,MAAM,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,EACtD,MAAM,aAAa,SAAS,SAAS,SAAS,OAAO;AAAA,EACrD,MAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AAAA,EACxD,SAAS,WAAW,GAAG;AAAA,EACvB,OAAO,SAAS,OAAO,UAAU,EAAE,SAAS,MAAM,IAAI,SAAS,MAAM,MAAM;AAAA;AAIrE,SAAS,kBAAkB,GAAW;AAAA,EAC5C,OAAO,aAAY,EAAE,EAAE,SAAS,KAAK;AAAA;;;AClGtC;AAyCA,eAAsB,kBAAkB,CACvC,IACA,OACoC;AAAA,EACpC,MAAM,gBAAgB,eAAe;AAAA,EACrC,MAAM,MAA0B;AAAA,IAC/B,YAAY,MAAM;AAAA,IAClB,YAAY,MAAM,aAAa;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,QAAQ;AAAA,IACR,eAAe,MAAM;AAAA,IACrB,YAAY,MAAM;AAAA,IAClB,QAAQ,MAAM,UAAU,CAAC;AAAA,IACzB,QAAQ,MAAM,UAAU;AAAA,IACxB,SAAS,MAAM,WAAW;AAAA,IAC1B,KAAK,MAAM;AAAA,IACX,oBAAoB,cAAc,aAAa;AAAA,IAC/C,aAAa,MAAM,cAAc,CAAC;AAAA,OAC9B,MAAM,eAAe,YAAY,EAAE,aAAa,MAAM,WAAW,IAAI,CAAC;AAAA,OACtE,MAAM,cAAc,YAAY,EAAE,YAAY,MAAM,UAAU,IAAI,CAAC;AAAA,OACnE,MAAM,gBAAgB,YACvB,EAAE,aAAa,MAAM,YAAY,IACjC,CAAC;AAAA,EACL;AAAA,EACA,MAAM,eAAe,MAAM,GACzB,WAAW,eAAe,EAC1B,OAAO,GAAG,EACV,aAAa,EACb,wBAAwB;AAAA,EAC1B,OAAO,EAAE,cAAc,cAAc;AAAA;AAGtC,eAAsB,iBAAiB,CACtC,IACA,WAC0B;AAAA,EAC1B,OAAO,GACL,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,cAAc,KAAK,SAAS,EAClC,QAAQ,cAAc,MAAM,EAC5B,QAAQ;AAAA;AAGX,eAAsB,eAAe,CACpC,IACA,WACA,IAC+B;AAAA,EAC/B,MAAM,MAAM,MAAM,GAChB,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,MAAM,KAAK,EAAE,EACnB,iBAAiB;AAAA,EACnB,OAAO,OAAO;AAAA;AAGf,eAAsB,qBAAqB,CAC1C,IACA,WACA,MAC+B;AAAA,EAC/B,MAAM,MAAM,MAAM,GAChB,WAAW,eAAe,EAC1B,UAAU,EACV,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,QAAQ,KAAK,IAAI,EACvB,iBAAiB;AAAA,EACnB,OAAO,OAAO;AAAA;AAef,eAAsB,kBAAkB,CACvC,IACA,WACA,IACA,OAC+B;AAAA,EAC/B,MAAM,SAA6B,EAAE,YAAY,IAAI,KAAO;AAAA,EAC5D,IAAI,MAAM,SAAS;AAAA,IAAW,OAAO,OAAO,MAAM;AAAA,EAClD,IAAI,MAAM,WAAW;AAAA,IAAW,OAAO,SAAS,MAAM;AAAA,EACtD,IAAI,MAAM,WAAW;AAAA,IAAW,OAAO,SAAS,MAAM;AAAA,EACtD,IAAI,MAAM,YAAY;AAAA,IAAW,OAAO,UAAU,MAAM;AAAA,EACxD,IAAI,MAAM,QAAQ;AAAA,IAAW,OAAO,MAAM,MAAM;AAAA,EAChD,IAAI,MAAM,eAAe;AAAA,IAAW,OAAO,cAAc,MAAM;AAAA,EAC/D,IAAI,MAAM,eAAe;AAAA,IAAW,OAAO,cAAc,MAAM;AAAA,EAC/D,IAAI,MAAM,cAAc;AAAA,IAAW,OAAO,aAAa,MAAM;AAAA,EAC7D,IAAI,MAAM,gBAAgB;AAAA,IAAW,OAAO,cAAc,MAAM;AAAA,EAEhE,MAAM,MAAM,MAAM,GAChB,YAAY,eAAe,EAC3B,IAAI,MAAM,EACV,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,MAAM,KAAK,EAAE,EACnB,aAAa,EACb,iBAAiB;AAAA,EACnB,OAAO,OAAO;AAAA;AAGf,eAAsB,wBAAwB,CAC7C,IACA,WACA,IACA,QAC+B;AAAA,EAC/B,MAAM,MAAM,MAAM,GAChB,YAAY,eAAe,EAC3B,IAAI;AAAA,IACJ;AAAA,IACA,YAAY,IAAI;AAAA,OACZ,WAAW,WACZ;AAAA,MACA,kBAAkB;AAAA,MAClB,mBAAmB;AAAA,IACpB,IACC,CAAC;AAAA,EACL,CAAC,EACA,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,MAAM,KAAK,EAAE,EACnB,aAAa,EACb,iBAAiB;AAAA,EACnB,OAAO,OAAO;AAAA;AAGf,eAAsB,kBAAkB,CACvC,IACA,WACA,IACmB;AAAA,EACnB,MAAM,MAAM,MAAM,GAChB,WAAW,eAAe,EAC1B,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,MAAM,KAAK,EAAE,EACnB,iBAAiB;AAAA,EACnB,OAAO,OAAO,IAAI,kBAAkB,CAAC,IAAI;AAAA;AAQ1C,eAAsB,wBAAwB,CAC7C,IACA,WACA,IACqC;AAAA,EACrC,MAAM,gBAAgB,eAAe;AAAA,EACrC,MAAM,MAAM,MAAM,GAChB,YAAY,eAAe,EAC3B,IAAI;AAAA,IACJ,oBAAoB,cAAc,aAAa;AAAA,IAC/C,YAAY,IAAI;AAAA,EACjB,CAAC,EACA,MAAM,cAAc,KAAK,SAAS,EAClC,MAAM,MAAM,KAAK,EAAE,EACnB,aAAa,EACb,iBAAiB;AAAA,EACnB,IAAI,CAAC;AAAA,IAAK,OAAO;AAAA,EACjB,OAAO,EAAE,cAAc,KAAK,cAAc;AAAA;AAIpC,SAAS,4BAA4B,CAAC,KAA2B;AAAA,EACvE,OAAO,cAAc,IAAI,kBAAkB;AAAA;AAI5C,eAAsB,0BAA0B,CAC/C,IACA,WACgB;AAAA,EAChB,MAAM,gDAAgD,aAAa,QAAQ,EAAE;AAAA;",
+  "debugId": "6C6C97A09D12DAB864756E2164756E21",
+  "names": []
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@secondlayer/shared",
-	"version": "3.0.0-beta.1",
+	"version": "3.0.0",
 	"type": "module",
 	"main": "./dist/src/index.js",
 	"types": "./dist/src/index.d.ts",
@@ -81,21 +81,17 @@
 			"types": "./dist/src/db/queries/account-spend-caps.d.ts",
 			"import": "./dist/src/db/queries/account-spend-caps.js"
 		},
-		"./db/queries/sentries": {
-			"types": "./dist/src/db/queries/sentries.d.ts",
-			"import": "./dist/src/db/queries/sentries.js"
-		},
 		"./db/queries/account-usage": {
 			"types": "./dist/src/db/queries/account-usage.d.ts",
 			"import": "./dist/src/db/queries/account-usage.js"
 		},
-		"./db/queries/workflow-runs": {
-			"types": "./dist/src/db/queries/workflow-runs.d.ts",
-			"import": "./dist/src/db/queries/workflow-runs.js"
+		"./db/queries/subscriptions": {
+			"types": "./dist/src/db/queries/subscriptions.d.ts",
+			"import": "./dist/src/db/queries/subscriptions.js"
 		},
-		"./schemas/sentries": {
-			"types": "./dist/src/schemas/sentries.d.ts",
-			"import": "./dist/src/schemas/sentries.js"
+		"./crypto/standard-webhooks": {
+			"types": "./dist/src/crypto/standard-webhooks.d.ts",
+			"import": "./dist/src/crypto/standard-webhooks.js"
 		},
 		"./types": {
 			"types": "./dist/src/types.d.ts",
@@ -176,7 +172,7 @@
 		"prepublishOnly": "bun run build"
 	},
 	"dependencies": {
-		"@secondlayer/stacks": "^1.0.0-alpha.0",
+		"@secondlayer/stacks": "^1.0.0",
 		"kysely": "0.28.15",
 		"kysely-postgres-js": "3.0.0",
 		"postgres": "^3.4.6",